From owner-freebsd-net Sun Dec 17 2:34:25 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 02:34:19 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mailout05.sul.t-online.com (mailout05.sul.t-online.com [194.25.134.82]) by hub.freebsd.org (Postfix) with ESMTP id A702A37B400; Sun, 17 Dec 2000 02:34:18 -0800 (PST) Received: from fwd01.sul.t-online.com by mailout05.sul.t-online.com with smtp id 147b8z-00036B-02; Sun, 17 Dec 2000 11:34:17 +0100 Received: from janus.internal.bermuda.de (320006624138-0001@[62.158.126.121]) by fmrl01.sul.t-online.com with esmtp id 147b8k-2BWuVkC; Sun, 17 Dec 2000 11:34:02 +0100 Received: from janus (atlas.internal.bermuda.de [192.168.6.3]) by janus.internal.bermuda.de (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id LAA29013; Sun, 17 Dec 2000 11:33:58 +0100 X-Authentication-Warning: janus.internal.bermuda.de: Host atlas.internal.bermuda.de [192.168.6.3] claimed to be janus Date: Sun, 17 Dec 2000 11:33:57 +0100 From: Nils Bokermann To: net@freebsd.org Cc: questions@freebsd.org Subject: PPPoE and MTU problem Message-ID: <20001217113357.A3485@atlas.internal.bermuda.de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Balsa 1.0.0 Lines: 66 X-Sender: 320006624138-0001@t-dialin.net Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! The following problem: I have a DSL-Connection to the internet, and a few client behind the BSD-Box (see picture). I can do connections to the internet, nearly everything works. But I DO have 2 systems (which I desperatly need), which do NOT fragment the packets. When using a Linux Router (don't blame me for that) everything just works fine. Is there a problem with my configuration, or is that a BSD-specific-Problem. client <-- ethernet (MTU=1500) --> FreeBSD-Box <-- DSL (MTU=1492)-->Provider(german Telekom) unakruemel# uname -a FreeBSD kruemel.monster.sensibelchen.org 4.2-BETA FreeBSD 4.2-BETA #4: Fri Dec 8 15:27:31 CET 2000 root@kruemel.monster.sensibelchen.org:/usr/src/sys/compile/KRUEMEL i386 kruemel# ipfw list 00100 allow ip from any to any via lo0 00200 allow ip from any to any via rl0 00300 allow tcp from any to any out xmit tun0 setup 00400 allow tcp from any to any via tun0 established 00500 allow udp from any to any via tun0 00600 allow log logamount 100 tcp from any to any 80 setup 00700 allow log logamount 100 tcp from any to any 22 setup 00800 allow log logamount 100 tcp from any to any 20 setup 00900 allow log logamount 100 tcp from any to any 25 setup 01000 reset log logamount 100 tcp from any to any 113 in recv tun0 01100 allow udp from any to any 53 out xmit tun0 01200 allow udp from any 53 to any in recv tun0 65435 allow icmp from any to any 65435 deny log logamount 100 ip from any to any 65535 deny ip from any to any kruemel# cat /etc/ppp/ppp.conf default: # or name_of_service_provider set device PPPoE:rl0 # replace xl1 with your ethernet device set mru 1450 set mtu 1450 set authname 0000******************t-online.de set authkey *didyoureallythinkofthat?* set log Phase tun command # you can add more detailed logging if you wish # set log cbcp ccp connect debug ipcp lcp sync set dial set login enable lqr set speed sync set ifaddr 10.0.0.1/0 10.0.0.2/0 add default HISADDR # nat enable yes # if you want to enable nat for your local net kruemel# cat /etc/rc.conf [...] ppp_enable="YES" ppp_mode="ddial" ppp_nat="YES" ppp_profile="default" # or your provider firewall_enable="YES" firewall_script="/etc/firewall/fwrules" -- Nils Bokermann /"\ Johanneswerkstr. 90 \ / ASCII Ribbon Campaign 33613 Bielefeld x Say NO to HTML in email and news Germany / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 3:31:41 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 03:31:35 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 226FF37B400; Sun, 17 Dec 2000 03:31:34 -0800 (PST) Received: from gaborone-07.budapest.interware.hu ([195.70.52.135] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 147c2N-0000nU-00; Sun, 17 Dec 2000 12:31:32 +0100 Sender: julian@FreeBSD.ORG Message-ID: <3A3CA2DE.28AB4780@elischer.org> Date: Sun, 17 Dec 2000 03:26:22 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Nils Bokermann Cc: net@freebsd.org, questions@freebsd.org Subject: Re: PPPoE and MTU problem References: <20001217113357.A3485@atlas.internal.bermuda.de> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nils Bokermann wrote: > > Hi! > > The following problem: I have a DSL-Connection to the internet, and a > few client behind the BSD-Box (see picture). I can do connections to the > internet, nearly everything works. But I DO have 2 systems (which I > desperatly need), which do NOT fragment the packets. When using a Linux > Router (don't blame me for that) everything just works fine. Is there a > problem with my configuration, or is that a BSD-specific-Problem. > > client <-- ethernet (MTU=1500) --> FreeBSD-Box <-- DSL > (MTU=1492)-->Provider(german Telekom) > > unakruemel# uname -a > FreeBSD kruemel.monster.sensibelchen.org 4.2-BETA FreeBSD 4.2-BETA #4: > Fri Dec 8 15:27:31 CET 2000 root@kruemel.monster.sensibelchen.org:/usr/src/sys/compile/KRUEMEL > i386 > > kruemel# ipfw list > 00100 allow ip from any to any via lo0 > 00200 allow ip from any to any via rl0 > 00300 allow tcp from any to any out xmit tun0 setup > 00400 allow tcp from any to any via tun0 established > 00500 allow udp from any to any via tun0 > 00600 allow log logamount 100 tcp from any to any 80 setup > 00700 allow log logamount 100 tcp from any to any 22 setup > 00800 allow log logamount 100 tcp from any to any 20 setup > 00900 allow log logamount 100 tcp from any to any 25 setup > 01000 reset log logamount 100 tcp from any to any 113 in recv tun0 > 01100 allow udp from any to any 53 out xmit tun0 > 01200 allow udp from any 53 to any in recv tun0 > 65435 allow icmp from any to any > 65435 deny log logamount 100 ip from any to any > 65535 deny ip from any to any >ng thatyou are using ipfw to filter rather than the it's intersting thatyou are using ipfw to filter rather than the filtering in ppp. but no matter it should still work. Theoretically, the BSD machine should fragment any 'too large' packets coming through, and the router at the other end should too, though the standard behaviour of clients should be to use a smaller size by default for routes that are not local. In any case sometimes this doesn't work right. One answer is to use the newest version of ppp (apply to brian@freebsd for a 4.2 version) which fiddles with the negotiations as they go past and fool both sides to use smaller packets. check recent pppoe sidcussion in the mailing lists, as this problem often shows up with pppoe. -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 3:47:31 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 03:47:20 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.ruhr.de (in-ruhr3.ruhr.de [212.23.134.2]) by hub.freebsd.org (Postfix) with SMTP id 054C137B69D for ; Sun, 17 Dec 2000 03:47:03 -0800 (PST) Received: (qmail 22552 invoked by alias); 17 Dec 2000 12:56:35 -0000 Received: (from ue@localhost) by nathan.ruhr.de (8.11.0/8.11.0) id eBHBjmR01122; Sun, 17 Dec 2000 12:45:48 +0100 (CET) (envelope-from ue) Date: Sun, 17 Dec 2000 12:45:48 +0100 From: Udo Erdelhoff To: Nils Bokermann Cc: net@freebsd.org, questions@freebsd.org Subject: Re: PPPoE and MTU problem Message-ID: <20001217124548.A950@nathan.ruhr.de> References: <20001217113357.A3485@atlas.internal.bermuda.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217113357.A3485@atlas.internal.bermuda.de>; from nilsb@bermuda.de on Sun, Dec 17, 2000 at 11:33:57AM +0100 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > The following problem: I have a DSL-Connection to the internet, and a > few client behind the BSD-Box (see picture). I can do connections to the > internet, nearly everything works. But I DO have 2 systems (which I > desperatly need), which do NOT fragment the packets. When using a Linux > Router (don't blame me for that) everything just works fine. Is there a > problem with my configuration, or is that a BSD-specific-Problem. it's a problem with your configuration. You have to use tcpmssd on your FreeBSD router. If you can read german, check out chapter 5.2 of my "Using T-ISDN-DSL with FreeBSD" tutorial. The URL is http://www.ruhr.de/home/nathan/FreeBSD/tdsl-freebsd.html#TCPMSSD The quick and dirty summary of the chapter a) Check if the port skeleton for tcpmssd contains a file names patch-aa. If the file is missing, download a new port skeleton from www.freebsd.org b) Build and install tcpmssd c) Run "tcpmssd -p 1234 -m 1492", do not use the -i variant, it doesn't work. Don't use -m unless you have the new version of the port or tcpmssd will crash when it receives the first packet. d) Add a rule to your ipfw ruleset divert 1234 tcp from any to any out xmit tun0 setup Place the rule right next to your existing natd rule e) Make sure that tcpmssd is launched automatically on reboot. /s/Udo PS: Your ppp.conf violates RFC2615. You are not supposed to use any kind of compression on a PPPoE link. -- "41.6: Ersetzen von Austauschen" (HP Color LJ 5M Fehlermeldung) "41.6: Replace Coating Kit" (das englische Original dieser Meldung) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 8:26:23 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 08:26:19 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id AC49C37B400; Sun, 17 Dec 2000 08:26:14 -0800 (PST) Received: by gw.nectar.com (Postfix, from userid 1001) id DA78D193E1; Sun, 17 Dec 2000 10:26:13 -0600 (CST) Date: Sun, 17 Dec 2000 10:26:13 -0600 From: "Jacques A. Vidrine" To: freebsd-net@FreeBSD.org Cc: Poul-Henning Kamp , Kris Kennaway , jesper@skriver.dk, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217102613.B61976@spawn.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-net@FreeBSD.org, Poul-Henning Kamp , Kris Kennaway , jesper@skriver.dk, security-officer@FreeBSD.org References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217095914.A61976@spawn.nectar.com>; from n@nectar.com on Sun, Dec 17, 2000 at 09:59:14AM -0600 X-Url: http://www.nectar.com/ Sender: nectar@nectar.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [Moved to freebsd-net] On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote: > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > In message <20001217012007.A18038@citusc.usc.edu>, Kris Kennaway writes: > > >This sounds like a security hole since ICMP messages don't have a TCP > > >sequence number meaning they can be trivially spoofed - am I wrong? > > > > There was some discussion on the list, and the result was that the > > default is this behaviour is "off" for now. > > > > Since we only react to this in "SYN-SENT" I think the window of > > opportunity is rather small in the first place... > > [ I haven't looked at the patch ] > > ICMP packets include the headers of the packets that `triggered' them, > so we do have a sequence number. > > I think the correct thing to do is to pull the source address, > destination address, source port, destination port, and sequence number > from the ICMP message, and zap the corresponding connection IFF the > sequence number is in the window. Jesper, I'm sorry I missed this thread on -hackers (I just caught up using the archive). I'm glad this is off by default. While clearly these ICMP messages need to be handled, I think the approach taken has fatal flaws: (1) This opens a new DoS attack (2) These same messages are not handled for connections not in SYN-SENT: they ought to be Are you planning on addressing these issues? I don't think this code should make it to -STABLE as-is. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 9: 2:31 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 09:02:27 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 3707037B404; Sun, 17 Dec 2000 09:02:27 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id JAA21867; Sun, 17 Dec 2000 09:03:42 -0800 Date: Sun, 17 Dec 2000 09:03:42 -0800 From: Kris Kennaway To: "Jacques A. Vidrine" , freebsd-net@FreeBSD.org, Poul-Henning Kamp , Kris Kennaway , jesper@skriver.dk, security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217090342.A21829@citusc.usc.edu> References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com> <20001217102613.B61976@spawn.nectar.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001217102613.B61976@spawn.nectar.com>; from n@nectar.com on Sun, Dec 17, 2000 at 10:26:13AM -0600 Sender: kris@citusc.usc.edu Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 17, 2000 at 10:26:13AM -0600, Jacques A. Vidrine wrote: > > ICMP packets include the headers of the packets that `triggered' them, > > so we do have a sequence number. > >=20 > > I think the correct thing to do is to pull the source address, > > destination address, source port, destination port, and sequence number > > from the ICMP message, and zap the corresponding connection IFF the > > sequence number is in the window. I'd be happy with this approach. Kris --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PPHuWry0BWjoQKURAg6MAJ4iHTkEwMKt7ZV7cd4vIzMCcEIuDACeKlq5 jRqz54b5ECmGPEJx6caizH4= =tmeA -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 12: 9:49 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 12:09:47 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from p133.inode.at (p133.inode.at [195.58.160.3]) by hub.freebsd.org (Postfix) with ESMTP id 25B0837B400 for ; Sun, 17 Dec 2000 12:09:46 -0800 (PST) Received: from inode.at (line98.adsl.wien.inode.at [213.229.7.98]) by p133.inode.at (8.11.1/8.10.0.0) with ESMTP id eBHK9in13680 for ; Sun, 17 Dec 2000 21:09:44 +0100 Message-ID: <3A3D1D8D.17EE8696@inode.at> Date: Sun, 17 Dec 2000 21:09:49 +0100 From: Michael Bretterklieber X-Mailer: Mozilla 4.75 [de] (Windows NT 5.0; U) X-Accept-Language: de MIME-Version: 1.0 To: FreeBSD-net@FreeBSD.org Subject: mpd3.2 and pptp and mppe and FreeBSD 3.5.1 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Here is a Howto for MPPE on FreeBSD 3.5.1: 1. Get these files from 4.1. sys/netgraph/ng_mppc.c sys/netgraph/ng_mppc.h sys/modules/netgraph/mppc/* copy ng_mppc.h to /usr/include/netgraph 2. get new crypto-sources from 4.1 cvs co -rRELENG_4_1_0_RELEASE src/sys/crypto change #ifdef _KERNEL to #ifdef KERNEL in /sys/crypto/sha1.h 3. Add new options: /sys/conf/options NETGRAPH_MPPC_COMPRESSION opt_netgraph.h NETGRAPH_MPPC_ENCRYPTION opt_netgraph.h 4. add these lines to /sys/conf/files netgraph/ng_mppc.c netgraph_mppc_encryption crypto/rc4/rc4.c netgraph_mppc_encryption crypto/sha1.c netgraph_mppc_encryption 5. get mpd3.2 port and change the Makefile: ENCRYPTION_MPPE=yes: 6. Add NETGRAPH_MPPC_ENCRYPTION option to the Kernel-config-file 7. Compile Kernel and mpd3.2 I tested it with successfully with Windows 2000 and Win98. bye, -- -------------------------------------- E-mail: Michael.Bretterklieber@jawa.at ---------------------------- JAWA MANAGEMENT und SOFTWARE Liebenauer Hauptstr. 200 A-8041 GRAZ Tel: ++43-(0)316-403274-12 Fax: ++43-(0)316-403274-10 GSM: ++43-(0)676-93 96 698 homepage: http://www.jawa.at --------- privat ----------- E-mail: mbretter@inode.at homepage: http://www.inode.at/mbretter -------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 12:29:37 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 12:29:35 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 0100A37B400 for ; Sun, 17 Dec 2000 12:29:35 -0800 (PST) Received: from mogadishu-53.budapest.interware.hu ([195.70.52.117] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 147kR2-0003NU-00; Sun, 17 Dec 2000 21:29:33 +0100 Sender: julian@FreeBSD.ORG Message-ID: <3A3D2205.1800A1B3@elischer.org> Date: Sun, 17 Dec 2000 12:28:53 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Michael Bretterklieber Cc: FreeBSD-net@FreeBSD.org Subject: Re: mpd3.2 and pptp and mppe and FreeBSD 3.5.1 References: <3A3D1D8D.17EE8696@inode.at> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Michael Bretterklieber wrote: > 3. Add new options: > > /sys/conf/options > > NETGRAPH_MPPC_COMPRESSION opt_netgraph.h > NETGRAPH_MPPC_ENCRYPTION opt_netgraph.h or add the directories in /sys/modules and make them as modules. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 13: 9: 2 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 13:08:58 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 5DA2137B400; Sun, 17 Dec 2000 13:08:58 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 5DA443E59; Sun, 17 Dec 2000 22:08:52 +0100 (CET) Date: Sun, 17 Dec 2000 22:08:52 +0100 From: Jesper Skriver To: "Jacques A. Vidrine" , freebsd-net@FreeBSD.org, Poul-Henning Kamp , Kris Kennaway , security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217220852.A20296@skriver.dk> References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com> <20001217102613.B61976@spawn.nectar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217102613.B61976@spawn.nectar.com>; from n@nectar.com on Sun, Dec 17, 2000 at 10:26:13AM -0600 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 17, 2000 at 10:26:13AM -0600, Jacques A. Vidrine wrote: > [Moved to freebsd-net] > > On Sun, Dec 17, 2000 at 09:59:14AM -0600, Jacques A. Vidrine wrote: > > On Sun, Dec 17, 2000 at 10:24:12AM +0100, Poul-Henning Kamp wrote: > > > In message <20001217012007.A18038@citusc.usc.edu>, Kris Kennaway writes: > > > >This sounds like a security hole since ICMP messages don't have a TCP > > > >sequence number meaning they can be trivially spoofed - am I wrong? > > > > > > There was some discussion on the list, and the result was that the > > > default is this behaviour is "off" for now. > > > > > > Since we only react to this in "SYN-SENT" I think the window of > > > opportunity is rather small in the first place... > > > > [ I haven't looked at the patch ] > > > > ICMP packets include the headers of the packets that `triggered' them, > > so we do have a sequence number. > > > > I think the correct thing to do is to pull the source address, > > destination address, source port, destination port, and sequence number > > from the ICMP message, and zap the corresponding connection IFF the > > sequence number is in the window. > > Jesper, I'm sorry I missed this thread on -hackers (I just caught up > using the archive). > > I'm glad this is off by default. While clearly these ICMP messages need > to be handled, I think the approach taken has fatal flaws: > (1) This opens a new DoS attack As said in my posting to cvs-all@FreeBSD.ORG, it allready match againt TCP source and destination port numbers, and I'm testing a new version which also matches against the TCP sequence number. > (2) These same messages are not handled for connections not in > SYN-SENT: they ought to be Well, yes, but the real problem is when sessions are setup, the reason I only configured it to affect sessions in SYN-SENT state, was to minimize the risk for a DoS. But it's a trivial fix to remove that check, what do you say Kris ? If we match against - ip source and destination addresses - tcp source and destination ports - tcp sequence number Can we make it zap the sessions regardless of the current state ? And perhaps enable it by default ? /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 13:12:32 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 13:12:30 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A974637B400; Sun, 17 Dec 2000 13:12:29 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id eBHLCJe53127; Sun, 17 Dec 2000 16:12:20 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sun, 17 Dec 2000 16:12:19 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jesper Skriver Cc: "Jacques A. Vidrine" , freebsd-net@FreeBSD.org, Poul-Henning Kamp , Kris Kennaway , security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h In-Reply-To: <20001217220852.A20296@skriver.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: robert@fledge.watson.org Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 17 Dec 2000, Jesper Skriver wrote: > - ip source and destination addresses > - tcp source and destination ports > - tcp sequence number > > Can we make it zap the sessions regardless of the current state ? > > And perhaps enable it by default ? I admit that I had assumed, from the commit message, that that was the way it would be done, because anything else would be silly :-). If all of these conditions hold (and ICMP messages are correctly ignored if they are truncated too early to include the info (rather than wild-carding), and IP + TCP options are correctly handled without alignment problems), then I see no reason not to turn this on by default. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 13:22: 4 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 13:22:02 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from gw.nectar.com (gw.nectar.com [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id BC8C137B400; Sun, 17 Dec 2000 13:22:01 -0800 (PST) Received: from hamlet.nectar.com (hamlet.nectar.com [10.0.1.102]) by gw.nectar.com (Postfix) with ESMTP id 25718193E1; Sun, 17 Dec 2000 15:22:01 -0600 (CST) Received: (from nectar@localhost) by hamlet.nectar.com (8.11.1/8.9.3) id eBHLM1q63092; Sun, 17 Dec 2000 15:22:01 -0600 (CST) (envelope-from nectar@spawn.nectar.com) Date: Sun, 17 Dec 2000 15:22:00 -0600 From: "Jacques A. Vidrine" To: Jesper Skriver Cc: freebsd-net@FreeBSD.org, Poul-Henning Kamp , Kris Kennaway , security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217152200.A63080@hamlet.nectar.com> Mail-Followup-To: "Jacques A. Vidrine" , Jesper Skriver , freebsd-net@FreeBSD.org, Poul-Henning Kamp , Kris Kennaway , security-officer@FreeBSD.org References: <20001217012007.A18038@citusc.usc.edu> <17340.977045052@critter> <20001217095914.A61976@spawn.nectar.com> <20001217102613.B61976@spawn.nectar.com> <20001217220852.A20296@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217220852.A20296@skriver.dk>; from jesper@skriver.dk on Sun, Dec 17, 2000 at 10:08:52PM +0100 X-Url: http://www.nectar.com/ Sender: nectar@nectar.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 17, 2000 at 10:08:52PM +0100, Jesper Skriver wrote: > > (2) These same messages are not handled for connections not in > > SYN-SENT: they ought to be > > Well, yes, but the real problem is when sessions are setup, the reason I > only configured it to affect sessions in SYN-SENT state, was to minimize > the risk for a DoS. This should not be treated any differently than a host/net unreachable message. If filters are (re)loaded while a connection is in progress, then the ICMP message should serve to tear down the connection. -- Jacques Vidrine / n@nectar.com / jvidrine@verio.net / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 14:41:42 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 14:41:31 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 990BB37B400; Sun, 17 Dec 2000 14:41:20 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 34CAE3E4A; Sun, 17 Dec 2000 23:41:19 +0100 (CET) Date: Sun, 17 Dec 2000 23:41:19 +0100 From: Jesper Skriver To: freebsd-net@FreeBSD.org, cvs-all@FreeBSD.org Cc: Kris Kennaway , Poul-Henning Kamp , cvs-committers@FreeBSD.ORG, security-officer@FreeBSD.ORG, "Louis A. Mamakos" Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001217234119.A90024@skriver.dk> References: <200012161942.eBGJg7j93654@freefall.freebsd.org> <20001217012007.A18038@citusc.usc.edu> <200012171529.eBHFT4512582@whizzo.transsys.com> <20001217182056.B34282@skriver.dk> <20001217183016.C34282@skriver.dk> <20001217200425.D34282@skriver.dk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001217200425.D34282@skriver.dk>; from jesper@skriver.dk on Sun, Dec 17, 2000 at 08:04:25PM +0100 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Dec 17, 2000 at 08:04:25PM +0100, Jesper Skriver wrote: > The only thing I can see, we can do to improve the security of this, > would be to match agaist the TCP sequence number too, I have a patch for > this too, but I need to test it, will be back. Attached is a diff which implement this, it's very strict and require that the sequence number we get is == the last unacknowledged packet we sent, thus only working with one unacknowledged packet. Later (probably tomorrow) I'll look at ways of getting it to work with multiple outstanding packets. But somone probably wants to commit the attached, as it's significant better than what's currently in the tree. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Description: tcp_drop_icmp_unreach.diff Content-Disposition: attachment; filename="tcp_drop_icmp_unreach.diff" diff -ru sys/netinet.old/in_pcb.c sys/netinet/in_pcb.c --- sys/netinet.old/in_pcb.c Sun Dec 17 18:57:24 2000 +++ sys/netinet/in_pcb.c Sun Dec 17 23:32:45 2000 @@ -62,6 +62,8 @@ #include #include #include +#include +#include #ifdef INET6 #include #include @@ -667,13 +669,14 @@ * any errors for each matching socket. */ void -in_pcbnotify(head, dst, fport_arg, laddr, lport_arg, cmd, notify) +in_pcbnotify(head, dst, fport_arg, laddr, lport_arg, cmd, notify, tcp_sequence) struct inpcbhead *head; struct sockaddr *dst; u_int fport_arg, lport_arg; struct in_addr laddr; int cmd; void (*notify) __P((struct inpcb *, int)); + u_int32_t tcp_sequence; { register struct inpcb *inp, *oinp; struct in_addr faddr; @@ -716,6 +719,17 @@ (fport && inp->inp_fport != fport)) { inp = inp->inp_list.le_next; continue; + } + /* + * If tcp_sequence is set, then only match sessions + * where last packet sent had this sequence number. + */ + if (tcp_sequence) { + struct tcpcb *tp = intotcpcb(inp); + if (tp->snd_una != tcp_sequence) { + inp = inp->inp_list.le_next; + continue; + } } oinp = inp; inp = inp->inp_list.le_next; diff -ru sys/netinet.old/in_pcb.h sys/netinet/in_pcb.h --- sys/netinet.old/in_pcb.h Sun Dec 17 18:57:24 2000 +++ sys/netinet/in_pcb.h Sun Dec 17 22:47:39 2000 @@ -290,7 +290,7 @@ struct in_addr, u_int, struct in_addr, u_int, int, struct ifnet *)); void in_pcbnotify __P((struct inpcbhead *, struct sockaddr *, - u_int, struct in_addr, u_int, int, void (*)(struct inpcb *, int))); + u_int, struct in_addr, u_int, int, void (*)(struct inpcb *, int), u_int32_t)); void in_pcbrehash __P((struct inpcb *)); int in_setpeeraddr __P((struct socket *so, struct sockaddr **nam)); int in_setsockaddr __P((struct socket *so, struct sockaddr **nam)); diff -ru sys/netinet.old/tcp_subr.c sys/netinet/tcp_subr.c --- sys/netinet.old/tcp_subr.c Sun Dec 17 18:57:24 2000 +++ sys/netinet/tcp_subr.c Sun Dec 17 23:21:07 2000 @@ -139,7 +139,7 @@ * as required by rfc1122 section 3.2.2.1 */ -static int icmp_admin_prohib_like_rst = 0; +static int icmp_admin_prohib_like_rst = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_admin_prohib_like_rst, CTLFLAG_RW, &icmp_admin_prohib_like_rst, 0, "Treat ICMP administratively prohibited messages like TCP RST, rfc1122 section 3.2.2.1"); @@ -967,11 +967,12 @@ register struct ip *ip = vip; register struct tcphdr *th; void (*notify) __P((struct inpcb *, int)) = tcp_notify; + tcp_seq tcp_sequence = 0; if (cmd == PRC_QUENCH) notify = tcp_quench; else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && (ip)) - notify = tcp_drop_syn_sent; + notify = tcp_drop_icmp_unreach; else if (cmd == PRC_MSGSIZE) notify = tcp_mtudisc; else if (!PRC_IS_REDIRECT(cmd) && @@ -980,10 +981,12 @@ if (ip) { th = (struct tcphdr *)((caddr_t)ip + (IP_VHL_HL(ip->ip_vhl) << 2)); + if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT)) + tcp_sequence = ntohl(th->th_seq); in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport, - cmd, notify); + cmd, notify, tcp_sequence); } else - in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify); + in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify, 0); } #ifdef INET6 @@ -1086,16 +1089,16 @@ /* * When a ICMP unreachable is recieved, drop the - * TCP connection, but only if in SYN_SENT + * TCP connection */ void -tcp_drop_syn_sent(inp, errno) +tcp_drop_icmp_unreach(inp, errno) struct inpcb *inp; int errno; { struct tcpcb *tp = intotcpcb(inp); - if((tp) && (tp->t_state == TCPS_SYN_SENT)) - tcp_drop(tp, errno); + if(tp) + tcp_drop(tp, errno); } /* diff -ru sys/netinet.old/tcp_var.h sys/netinet/tcp_var.h --- sys/netinet.old/tcp_var.h Sun Dec 17 18:57:24 2000 +++ sys/netinet/tcp_var.h Sun Dec 17 23:17:55 2000 @@ -387,7 +387,7 @@ void tcp_input __P((struct mbuf *, int, int)); void tcp_mss __P((struct tcpcb *, int)); int tcp_mssopt __P((struct tcpcb *)); -void tcp_drop_syn_sent __P((struct inpcb *, int)); +void tcp_drop_icmp_unreach __P((struct inpcb *, int)); void tcp_mtudisc __P((struct inpcb *, int)); struct tcpcb * tcp_newtcpcb __P((struct inpcb *)); diff -ru sys/netinet.old/udp_usrreq.c sys/netinet/udp_usrreq.c --- sys/netinet.old/udp_usrreq.c Sun Dec 17 18:57:24 2000 +++ sys/netinet/udp_usrreq.c Sun Dec 17 19:59:53 2000 @@ -512,9 +512,9 @@ if (ip) { uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport, - cmd, udp_notify); + cmd, udp_notify, 0); } else - in_pcbnotify(&udb, sa, 0, zeroin_addr, 0, cmd, udp_notify); + in_pcbnotify(&udb, sa, 0, zeroin_addr, 0, cmd, udp_notify, 0); } static int --4Ckj6UjgE2iN1+kY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 18:27:11 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 18:27:09 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail1.rdc2.on.home.com (mail1.rdc2.on.home.com [24.9.0.40]) by hub.freebsd.org (Postfix) with ESMTP id 8192337B400 for ; Sun, 17 Dec 2000 18:27:09 -0800 (PST) Received: from stan ([24.64.143.114]) by mail1.rdc2.on.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001218022709.VYHA27516.mail1.rdc2.on.home.com@stan> for ; Sun, 17 Dec 2000 18:27:09 -0800 From: "Rezvani, Mazdak" To: Subject: subscribe Date: Sun, 17 Dec 2000 21:32:11 -0500 Message-ID: <000001c0689a$ba4d3c10$0801a8c0@stan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 22:55:43 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 22:55:42 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 1DB3037B400 for ; Sun, 17 Dec 2000 22:55:42 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 147uHM-0000Ez-00; Mon, 18 Dec 2000 00:00:12 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A3DB5FB.16410E54@softweyr.com> Date: Mon, 18 Dec 2000 00:00:12 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: net@freebsd.org, misc@openbsd.org Subject: Looking for tiny DNS server Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I need a tiny DNS server I can hack up. When our router/firewall/gateway is in "first birthday" mode, it doesn't yet have a connection to the internet. We'd like to run a DNS server on the box that resolves ALL DNS A requests from the internal LAN to the internal address of our box until we have the public interface up. At this time, we'll configured named and kill the tiny DNS server. If you know of such a server available under a reasonable license, or know of some clever named hacks that will allow me to do the same, I'm all ears. Or SMTP ports, I guess. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 23:44:47 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 23:44:45 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from origin.macomnet.ru (origin.macomnet.ru [195.128.64.12]) by hub.freebsd.org (Postfix) with ESMTP id 16B2037B400 for ; Sun, 17 Dec 2000 23:44:44 -0800 (PST) Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14]) by origin.macomnet.ru (8.9.1/8.9.1) with ESMTP id KAA3221210; Mon, 18 Dec 2000 10:44:29 +0300 (MSK) Date: Mon, 18 Dec 2000 10:44:29 +0300 (MSK) From: Maxim Konovalov To: Wes Peters Cc: net@FreeBSD.ORG, misc@openbsd.org Subject: Re: Looking for tiny DNS server In-Reply-To: <3A3DB5FB.16410E54@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, On Mon, 18 Dec 2000, Wes Peters wrote: > I need a tiny DNS server I can hack up. When our router/firewall/gateway is > in "first birthday" mode, it doesn't yet have a connection to the internet. > We'd like to run a DNS server on the box that resolves ALL DNS A requests > from the internal LAN to the internal address of our box until we have the > public interface up. At this time, we'll configured named and kill the tiny > DNS server. > > If you know of such a server available under a reasonable license, or know > of some clever named hacks that will allow me to do the same, I'm all ears. > Or SMTP ports, I guess. Take a look at /usr/ports/net/pdnsd HTH - - maxim -- Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sun Dec 17 23:48:36 2000 From owner-freebsd-net@FreeBSD.ORG Sun Dec 17 23:48:31 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by hub.freebsd.org (Postfix) with ESMTP id CBDB337B400; Sun, 17 Dec 2000 23:48:29 -0800 (PST) Received: from coffee (adsl-nat.syncrontech.com [213.28.98.3]) by osku.suutari.iki.fi (8.9.3/8.9.3) with SMTP id JAA05093; Mon, 18 Dec 2000 09:47:28 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <011801c068c6$c585d6b0$0e05a8c0@intranet.syncrontech.com> From: "Ari Suutari" To: "Cy Schubert - ITSD Open Systems Group" Cc: , References: <200012161125.eBGBPkP05378@cwsys.cwsent.com> Subject: Re: IPFW & IPsec tunnel mode Date: Mon, 18 Dec 2000 09:47:28 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I read them. But I think that the final solution cannot be 'well we will have a hole like this always since it cannot be fixed'. I wasn't saying that I want a network interface device like 'tun', I just wanted something similar that could be used with ipfw to more accurately specify filters. why couldn't we have something like: (imagine that a new option -n has been addded to setkey's spdadd) setkey -c << ZZZ spdadd xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy any -n my-tunnel-1 -P in ipsec esp/tunnel/aaa-bbb/requre; ZZZ and then (imagine that new keyword via-ipsec-tunnel has been added to ipfw) ipfw pass ip from any to any via-ipsec-tunnel my-tunnel-1 I think that this would just be, well, GREAT! It would allow very easy creation of VPNs with simple rules and without any holes. Ari S. ----- Original Message ----- From: "Cy Schubert - ITSD Open Systems Group" To: "Ari Suutari" Cc: ; Sent: 16. joulukuuta 2000 13:24 Subject: Re: IPFW & IPsec tunnel mode > In message <001301c0601e$34cab880$0e05a8c0@intranet.syncrontech.com>, > "Ari Suut > ari" writes: > > However, pipsecd only supports fixed keys and Kame seems more > > like the future way to go. Would it be possible to enhance ipfw & kame > > to work together better in same way (like having some kind of name for > > each tunnel and allowing ipfw rule to use them in similar way as > > 'via' is used with interfaces) ? > > Check the -security archives. This was just discussed about a month > ago. In that thread a KAME developer explained why it cannot be > accomplished. > > > Regards, Phone: (250)387-8437 > Cy Schubert Fax: (250)387-5766 > Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca > Open Systems Group, ITSD, ISTA > Province of BC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 3:17:24 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 03:17:22 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from paprika.michvhf.com (adsl-pool27-80.detroit.mi.ameritech.net [64.108.60.80]) by hub.freebsd.org (Postfix) with SMTP id AA41737B400 for ; Mon, 18 Dec 2000 03:17:21 -0800 (PST) Received: (qmail 15353 invoked by uid 1001); 18 Dec 2000 11:17:21 -0000 Date: Mon, 18 Dec 2000 06:17:21 -0500 (EST) From: Vince Vielhaber To: Wes Peters Cc: , Subject: Re: Looking for tiny DNS server In-Reply-To: <3A3DB5FB.16410E54@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Dec 2000, Wes Peters wrote: > I need a tiny DNS server I can hack up. When our router/firewall/gateway is > in "first birthday" mode, it doesn't yet have a connection to the internet. > We'd like to run a DNS server on the box that resolves ALL DNS A requests > from the internal LAN to the internal address of our box until we have the > public interface up. At this time, we'll configured named and kill the tiny > DNS server. > > If you know of such a server available under a reasonable license, or know > of some clever named hacks that will allow me to do the same, I'm all ears. > Or SMTP ports, I guess. Take a look at: http://cr.yp.to/djbdns.html Easy to configure, if there's an error in the config file it won't die (it just tells you and keeps the previous info), and there's no need to go back to named when you get the public interface up. It's probably in ports/packages but as easy as it is to set up you're probably better off from sources. Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net 128K ISDN from $22.00/mo - 56K Dialup from $16.00/mo at Pop4 Networking Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore http://www.cloudninegifts.com ========================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 3:29:41 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 03:29:37 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 7173937B400; Mon, 18 Dec 2000 03:29:37 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id DAA27758; Mon, 18 Dec 2000 03:30:54 -0800 Date: Mon, 18 Dec 2000 03:30:54 -0800 From: Kris Kennaway To: Robert Watson Cc: Jesper Skriver , "Jacques A. Vidrine" , freebsd-net@FreeBSD.org, Poul-Henning Kamp , Kris Kennaway , security-officer@FreeBSD.org Subject: Re: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218033054.B27704@citusc.usc.edu> References: <20001217220852.A20296@skriver.dk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Bn2rw/3z4jIqBvZU" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from rwatson@FreeBSD.org on Sun, Dec 17, 2000 at 04:12:19PM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 17, 2000 at 04:12:19PM -0500, Robert Watson wrote: > On Sun, 17 Dec 2000, Jesper Skriver wrote: >=20 > > - ip source and destination addresses > > - tcp source and destination ports > > - tcp sequence number > >=20 > > Can we make it zap the sessions regardless of the current state ? > >=20 > > And perhaps enable it by default ? >=20 > I admit that I had assumed, from the commit message, that that was the way > it would be done, because anything else would be silly :-). If all of > these conditions hold (and ICMP messages are correctly ignored if they are > truncated too early to include the info (rather than wild-carding), and IP > + TCP options are correctly handled without alignment problems), then I > see no reason not to turn this on by default. I agree. Kris --Bn2rw/3z4jIqBvZU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6PfVtWry0BWjoQKURAlRDAKD0fCOfU1WPBQY7bEaXd0Iwygf7egCfbdHu hFwh5Qkru57iUsdakiYr5jU= =xRxf -----END PGP SIGNATURE----- --Bn2rw/3z4jIqBvZU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 6:27: 8 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 06:27:05 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from groupwise.qobra.net (unknown [216.95.234.225]) by hub.freebsd.org (Postfix) with SMTP id 5ABDA37B402 for ; Mon, 18 Dec 2000 06:27:05 -0800 (PST) Received: from ON_Dom-Message_Server by groupwise.qobra.net with Novell_GroupWise; Mon, 18 Dec 2000 09:26:52 -0500 Message-Id: X-Mailer: Novell GroupWise 5.5.4 Date: Mon, 18 Dec 2000 09:26:50 -0500 From: "Yian Zhu" To: Subject: Hi, everybody Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, everybody =20 I am using freebsd 4.2 to test vlan. I find if running ng_ether, you can = not configure the vlan. If you configure vlan, the system will display : =20 Fatal trap 12 : page fault while in kernel mode, ...... then system is rebooted auto.=20 =20 How to solve this problem? Yian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 9:26: 9 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 09:26:02 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 9FE3137B400; Mon, 18 Dec 2000 09:26:01 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 5752B3E4B; Mon, 18 Dec 2000 18:26:00 +0100 (CET) Date: Mon, 18 Dec 2000 18:26:00 +0100 From: Jesper Skriver To: Kris Kennaway , Poul-Henning Kamp Cc: security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.org Subject: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218182600.C1856@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I'm trying to find out what to to now regarding this. To summarize. PHK committed my original patch, this patch have the following functionality - When a ICMP administrative prohibited is recieved, it zap's all TCP sessions in SYN-SENT state matching the source and destination IP addresses and TCP port numbers in the IP header + 8 bytes from the ICMP packet. - It does not match against TCP sequence number - disabled by default Yesterday I summitted a new diff, with the following changes to the above. - Matches against the TCP sequence number in the IP header + 8 bytes from the ICMP packet, against the last unacknowledged packet in the TCP session matching the source and destination IP addresses and TCP port numbers, these must be equal, thus it only matches if the ICMP unreachable is for the last sent packet. This is very secure, but in reality only has effect when setting up the session, as it doesn't work with multiple outstanding packets, it does work when setting up sessions, as the window will be zero here. this could be fixed by something like (*) - Check for SYN-SENT state removed - enabled by default What I will suggest at this point, is to do one of 2 things: 1) Extend the original diff PHK committed to check for sequence number, and enable it by default, trivial as it's part of the second diff. 2) Fix the second diff with the below code. For both I'll also add a extra check if the IP header in the ICMP packet has options set, and if it has, don't act on it, this applies to both, the reason for this is, if it has options set, we'll miss some (or all) of the 8 bytes from the TCP header, and thus, we'll not know port and sequence numbers. What do you prefer ? When I know this, I'll post a new diff for review. (*) replace if (tp->snd_una != tcp_sequence) { with /* * First check: if sequence numbers have wrapped, don't act on this. * Second -"- : if the sequence number from the ICMP packet is for a * "old" packet, it's probably spoofed, dont't act on this. * Third -"- : if the sequence number from the ICMP packet is for a * packet from the future, it's spoofed, don't act on this. */ if ((tp->snd_max < tp->snd_una) || (tcp_sequence < tp->snd_una) || \ (tp->snd_max < tcp_sequence)) { /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 10:46:46 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 10:46:45 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from pfa0frpk001.panasonicfa.com (unknown [38.248.119.1]) by hub.freebsd.org (Postfix) with ESMTP id BFF3037B400 for ; Mon, 18 Dec 2000 10:46:44 -0800 (PST) Received: by exchange.panasonicfa.com with Internet Mail Service (5.5.2650.21) id ; Mon, 18 Dec 2000 12:46:42 -0600 Message-ID: <054F7DAA9E54D311AD090008C74CE9BD01F1E7CB@exchange.panasonicfa.com> From: "Zaitsau, Andrei" To: net@freebsd.org Subject: Hacked computer Date: Mon, 18 Dec 2000 12:46:40 -0600 Return-Receipt-To: "Zaitsau, Andrei" MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello everyone, I have a problem, in the morning someone hacked into my computer at home. It is ADSL Gateway running FreeBSD 3.4 , root password is changed by hacker. Can anyone tell where on the system I can find some tracks of a hacker? What should I check first? Which log files? Anyone? Please? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 10:50:34 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 10:50:27 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mailman.thenap.com (mailman.thenap.com [209.190.0.10]) by hub.freebsd.org (Postfix) with ESMTP id F1A1C37B6A0 for ; Mon, 18 Dec 2000 10:50:11 -0800 (PST) Received: by mailman.thenap.com with Internet Mail Service (5.5.2650.21) id ; Mon, 18 Dec 2000 14:00:44 -0500 Message-ID: From: "Drew J. Weaver" To: "'Zaitsau, Andrei'" , net@freebsd.org Subject: RE: Hacked computer Date: Mon, 18 Dec 2000 14:00:36 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C06924.D2AC5F68" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C06924.D2AC5F68 Content-Type: text/plain; charset="iso-8859-1" I would do a find / -name g g is a well known rootkit, im not sure if it works with freebsd but I am sure it can be modified, that is what most of the script kiddies are using these days, it changes a bunch of things like ps, and last and who... If you find a directory called 'g' unless its terminfo/g you may want to search on google or somewhere and see if you can locate a list of the files that are modified by this rootkit. Most of the time hax0r-kiddies login through services that are left open, I.E. PostGres has a default account that they can get in through.. Take a look. Thanks, -Drew -----Original Message----- From: Zaitsau, Andrei [mailto:AZaitsau@panasonicfa.com] Sent: Monday, December 18, 2000 1:47 PM To: net@freebsd.org Subject: Hacked computer Hello everyone, I have a problem, in the morning someone hacked into my computer at home. It is ADSL Gateway running FreeBSD 3.4 , root password is changed by hacker. Can anyone tell where on the system I can find some tracks of a hacker? What should I check first? Which log files? Anyone? Please? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message ------_=_NextPart_001_01C06924.D2AC5F68 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: Hacked computer

I would do a find / -name g

g is a well known rootkit, im not sure if it works = with freebsd but I am sure it can be modified, that is what most of the = script kiddies are using these days, it changes a bunch of things like = ps, and last and who... If you find a directory called 'g' unless its = terminfo/g you may want to search on google or somewhere and see if you = can locate a list of the files that are modified by this = rootkit.

Most of the time hax0r-kiddies login through services = that are left open, I.E. PostGres has a default account that they can = get in through.. Take a look.

Thanks,

-Drew


-----Original Message-----
From: Zaitsau, Andrei [mailto:AZaitsau@panasonicfa.com= ]
Sent: Monday, December 18, 2000 1:47 PM
To: net@freebsd.org
Subject: Hacked computer


Hello everyone,
I have a problem, in the morning someone hacked into = my computer at home. It
is ADSL Gateway running FreeBSD 3.4 , root password = is changed by hacker.
Can anyone tell where on the system I can find some = tracks of a hacker?
What should I check first?
Which log files?
Anyone? Please?
Thanks.


To Unsubscribe: send mail to = majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body = of the message

------_=_NextPart_001_01C06924.D2AC5F68-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 10:52:39 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 10:52:37 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 0ED3337B402 for ; Mon, 18 Dec 2000 10:52:28 -0800 (PST) Received: from ocsinternet.com (fw234.ocsny.com [204.107.76.234]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id NAA77404; Mon, 18 Dec 2000 13:52:31 -0500 (EST) Message-ID: <3A3E5C33.793B5684@ocsinternet.com> Date: Mon, 18 Dec 2000 13:49:23 -0500 From: mikel X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I) X-Accept-Language: en MIME-Version: 1.0 To: "Zaitsau, Andrei" Cc: net@FreeBSD.ORG Subject: Re: Hacked computer References: <054F7DAA9E54D311AD090008C74CE9BD01F1E7CB@exchange.panasonicfa.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you've been rooted, then the logs are probably no good. But check you wtmp for logons, and messages, and well if you don't see anything unusual there then the've prabaly been wiped. Have regained root yet? personally I would pull the box off net and backup theimportant config stuff, then blast it....but hey I tend to be a bit of an extremist in these cases... Cheers, mikel "Zaitsau, Andrei" wrote: > Hello everyone, > I have a problem, in the morning someone hacked into my computer at home. It > is ADSL Gateway running FreeBSD 3.4 , root password is changed by hacker. > Can anyone tell where on the system I can find some tracks of a hacker? > What should I check first? > Which log files? > Anyone? Please? > Thanks. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 10:58:57 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 10:58:55 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from atro.pine.nl (atro.pine.nl [213.156.0.2]) by hub.freebsd.org (Postfix) with ESMTP id C77B937B402 for ; Mon, 18 Dec 2000 10:58:54 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by atro.pine.nl (8.11.1/8.11.1) with ESMTP id eBIIwiC05667; Mon, 18 Dec 2000 19:58:44 +0100 (MET) Date: Mon, 18 Dec 2000 19:58:44 +0100 (MET) From: Mark Lastdrager To: "Zaitsau, Andrei" Cc: Subject: Re: Hacked computer In-Reply-To: <054F7DAA9E54D311AD090008C74CE9BD01F1E7CB@exchange.panasonicfa.com> Message-ID: X-NCC-RegID: nl.pine MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At Mon, 18 Dec 2000, owner-freebsd-net@FreeBSD.ORG wrote: >Hello everyone, >I have a problem, in the morning someone hacked into my computer at home. It >is ADSL Gateway running FreeBSD 3.4 , root password is changed by hacker. >Can anyone tell where on the system I can find some tracks of a hacker? >What should I check first? >Which log files? >Anyone? Please? >Thanks. Check this excellent document: http://www.cert.org/nav/recovering.html And please ask your question again on the incidents mailinglist (http://www.securityfocus.com/forums/incidents/intro.html) as it's offtopic here IMHO. Mark Lastdrager -- Pine Internet BV :: tel. +31-70-3111010 :: fax. +31-70-3111011 PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1 Today's excuse: Well fix that in the next (upgrade, update, patch release, service pack). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 11:20:57 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 11:20:53 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 9BBA637B698 for ; Mon, 18 Dec 2000 11:20:52 -0800 (PST) Received: (qmail 63319 invoked by uid 1000); 18 Dec 2000 19:20:51 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Dec 2000 19:20:51 -0000 Date: Mon, 18 Dec 2000 13:20:51 -0600 (CST) From: Mike Silbersack To: Jesper Skriver Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.org Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h In-Reply-To: <20001218182600.C1856@skriver.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 18 Dec 2000, Jesper Skriver wrote: > - Check for SYN-SENT state removed I was thinking about this point, and I think there are two compelling reasons to keep it enabled only for the SYN_SENT state. First, the cases in which connections are in progress to a port which is in the process of being blocked for the first time are rare. The slight chance that honoring such messages will allow connections to be falsely reset outweighs the small gain of killing connections over paths that have suddenly been firewalled. Second, if I understand correctly, this code may be able to kill IPSEC connections too. (?) If so, it would allow a simple packet sniffer and spoofer to defeat all the fancy crypto in use. (If someone's more familiar with IPSEC and this patch could clarify, it would be appreciated.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 11:27:17 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 11:27:12 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 481EE37B402; Mon, 18 Dec 2000 11:27:12 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 96F693E5A; Mon, 18 Dec 2000 20:27:10 +0100 (CET) Date: Mon, 18 Dec 2000 20:27:10 +0100 From: Jesper Skriver To: Mike Silbersack Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.org Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218202710.A16059@skriver.dk> References: <20001218182600.C1856@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from silby@silby.com on Mon, Dec 18, 2000 at 01:20:51PM -0600 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 01:20:51PM -0600, Mike Silbersack wrote: > > On Mon, 18 Dec 2000, Jesper Skriver wrote: > > > - Check for SYN-SENT state removed > > I was thinking about this point, and I think there are two compelling > reasons to keep it enabled only for the SYN_SENT state. > > First, the cases in which connections are in progress to a port which is > in the process of being blocked for the first time are rare. The slight > chance that honoring such messages will allow connections to be falsely > reset outweighs the small gain of killing connections over paths that have > suddenly been firewalled. I agree, but others requested that I removed this check, the real life problem is when setting up the sessions, I strongly suggest that we keep this check in. > Second, if I understand correctly, this code may be able to kill IPSEC > connections too. (?) IPsec runs on top of GRE right ? Only the IKE phase runs over TCP. This code only applies to TCP, so I think it would have little, if any, impact on IPsec. > If so, it would allow a simple packet sniffer and > spoofer to defeat all the fancy crypto in use. (If someone's more > familiar with IPSEC and this patch could clarify, it would be > appreciated.) /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 14:13:47 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 14:13:45 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx.databus.com (p101-44.acedsl.com [160.79.101.44]) by hub.freebsd.org (Postfix) with ESMTP id 444DE37B400; Mon, 18 Dec 2000 14:13:44 -0800 (PST) Received: (from barney@localhost) by mx.databus.com (8.11.1/8.11.1) id eBIMCmR67880; Mon, 18 Dec 2000 17:12:48 -0500 (EST) (envelope-from barney) Date: Mon, 18 Dec 2000 17:12:48 -0500 From: Barney Wolff To: Jesper Skriver Cc: Mike Silbersack , Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218171248.A67546@mx.databus.com> References: <20001218182600.C1856@skriver.dk> <20001218202710.A16059@skriver.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20001218202710.A16059@skriver.dk>; from jesper@skriver.dk on Mon, Dec 18, 2000 at 08:27:10PM +0100 Sender: barney@mx.databus.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I suggest that the ICMP unreachable affect connections only in SYN-SENT and only if the seq number matches, and that it not affect IPSEC'd connections at all. FYI, IPSEC does not run over GRE, but uses two protocol numbers of its own, 50 for ESP and 51 for AH. IKE uses UDP port 500, not TCP. Without the check on seq # & state as well as port/ip, it's too easy to DoS by blindly blasting unreachables to every source port. Barney Wolff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 14:18:55 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 14:18:51 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 6624737B400; Mon, 18 Dec 2000 14:18:51 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id CF0D93E59; Mon, 18 Dec 2000 23:18:49 +0100 (CET) Date: Mon, 18 Dec 2000 23:18:49 +0100 From: Jesper Skriver To: Barney Wolff Cc: Mike Silbersack , Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001218231849.D37894@skriver.dk> References: <20001218182600.C1856@skriver.dk> <20001218202710.A16059@skriver.dk> <20001218171248.A67546@mx.databus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001218171248.A67546@mx.databus.com>; from barney@databus.com on Mon, Dec 18, 2000 at 05:12:48PM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 18, 2000 at 05:12:48PM -0500, Barney Wolff wrote: > I suggest that the ICMP unreachable affect connections only in > SYN-SENT and only if the seq number matches, and that it not > affect IPSEC'd connections at all. When you say IPsec doesn't use TCP at all, it will not be affected in any way by this code. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 18 21:22:42 2000 From owner-freebsd-net@FreeBSD.ORG Mon Dec 18 21:22:41 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from falla.videotron.net (falla.videotron.net [205.151.222.106]) by hub.freebsd.org (Postfix) with ESMTP id CDFE737B400 for ; Mon, 18 Dec 2000 21:22:40 -0800 (PST) Received: from modemcable213.3-201-24.mtl.mc.videotron.ca ([24.201.3.213]) by falla.videotron.net (Sun Internet Mail Server sims.3.5.1999.12.14.10.29.p8) with ESMTP id <0G5S00G07UXQ9W@falla.videotron.net> for freebsd-net@freebsd.org; Tue, 19 Dec 2000 00:22:39 -0500 (EST) Date: Tue, 19 Dec 2000 00:23:29 -0500 (EST) From: Bosko Milekic Subject: M_flag rename: M_WAIT to M_TRYWAIT To: freebsd-net@freebsd.org Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok, the new version of the diff is here, and it's a mere 35K (compared to the last one which was 162k): http://people.freebsd.org/~bmilekic/m_flag_rnm.diff Big bloat reduction compared to last time. It renames M_WAIT to M_TRYWAIT, M_DONTWAIT stays M_DONTWAIT, and also fixes a few rather lame mistakes, such as M_WAIT being passed to malloc() (as opposed to M_WAITOK) which may prevent future problems if we were to redefine the values of the malloc/mbuf alloc flags. M_WAIT is maintained and defined as M_TRYWAIT for now, but its use is deprecated. Anyone have final comments before this is committed? Then I can go on and change the man page to reflect it as well and send a small heads-up to -current. I have three small PostIt[tm]'s worth of "to do" fixes following this change which involve developers previously assuming that M_WAIT will never return NULL. Going in and making sure these guys check for the possibility of failure will be done once this goes in (I'm doing it in two parts to avoid merging headaches while working). Please note that this is planned only for -CURRENT at this time. Regards, Bosko Milekic bmilekic@technokratis.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 0:33:35 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 00:33:32 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from jason.argos.org (a13b063.neo.rr.com [204.210.197.63]) by hub.freebsd.org (Postfix) with ESMTP id A590737B400 for ; Tue, 19 Dec 2000 00:33:27 -0800 (PST) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id eBJ8OFv10873; Tue, 19 Dec 2000 03:24:15 -0500 Date: Tue, 19 Dec 2000 03:24:15 -0500 (EST) From: Mike Nowlin To: mikel Cc: "Zaitsau, Andrei" , net@FreeBSD.ORG Subject: Re: Hacked computer In-Reply-To: <3A3E5C33.793B5684@ocsinternet.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > If you've been rooted, then the logs are probably no good. But check you wtmp > for logons, and messages, and well if you don't see anything unusual there then > the've prabaly been wiped. Have regained root yet? personally I would pull the > box off net and backup theimportant config stuff, then blast it....but hey I > tend to be a bit of an extremist in these cases... A very helpful trick I did on a Linux box once that was rooted where Mr. Friendly did a "rm -fr /" to try to make my life as difficult as possible was: (after installing the erased drive on a new machine) strings /dev/hdc1 > keepme_hdc1 Due to the fact that "rm" really doesn't erase anything, the contents were still there - doing a "strings" on the raw partition will retrieve a lot. With a bit of patience, it's amazing what will show up -- usually, the former contents of /var/log/* will show up as large chunks that are easily read... Turns out I found this guy's IP address and the time the system was blasted - a call to MCI resulted in a small amount of satisfaction... --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 2:11: 8 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 02:11:05 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from oulu.fi (ousrvr.oulu.fi [130.231.240.1]) by hub.freebsd.org (Postfix) with ESMTP id 7C65C37B400; Tue, 19 Dec 2000 02:11:04 -0800 (PST) Received: from ee.oulu.fi (ees2.oulu.fi [130.231.61.23]) by oulu.fi (8.8.5/8.8.5) with ESMTP id MAA10188; Tue, 19 Dec 2000 12:11:02 +0200 (EET) Received: from stekt49 (stekt49 [130.231.60.89]) by ee.oulu.fi (8.11.1/8.11.1) with ESMTP id eBJAB1I19480; Tue, 19 Dec 2000 12:11:01 +0200 (EET) Date: Tue, 19 Dec 2000 12:11:01 +0200 (EET) From: Ana Romero X-Sender: To: , Subject: PC with two network cards Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org HI!! I have two network cards in my PC with freeBSD 4.0., a 3COM Ethernet card and a WaveLAN card. Both are attached at the same subnetwork, I mean , both has the same subnetwork address, but different host address. They are configured in rc.conf file and in /etc/hosts but when i try ifconfig -a the Ethernet card is running and ping works perfectly but the WaveLAN has inet 0.0.0.0 and ping doesnt work (but the card is running). Ana To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 2:33:40 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 02:33:37 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freebsd.dk (freebsd.dk [212.242.42.178]) by hub.freebsd.org (Postfix) with ESMTP id 445FD37B69C; Tue, 19 Dec 2000 02:33:07 -0800 (PST) Received: (from sos@localhost) by freebsd.dk (8.9.3/8.9.1) id LAA20319; Tue, 19 Dec 2000 11:37:35 +0100 (CET) (envelope-from sos) From: Soren Schmidt Message-Id: <200012191037.LAA20319@freebsd.dk> Subject: Re: PC with two network cards In-Reply-To: from Ana Romero at "Dec 19, 2000 12:11:01 pm" To: anar@ees2.oulu.fi (Ana Romero) Date: Tue, 19 Dec 2000 11:37:35 +0100 (CET) Cc: freeBSD-mobile@FreeBSD.ORG, freeBSD-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems Ana Romero wrote: > HI!! > I have two network cards in my PC with freeBSD 4.0., a > 3COM Ethernet card and a WaveLAN card. Both are attached at the same subnetwork, > I mean , both has the same subnetwork address, but different host address. > They are configured in rc.conf file and in > /etc/hosts but when i try ifconfig -a the Ethernet card > is running and ping works perfectly but > the WaveLAN has inet 0.0.0.0 and ping doesnt work (but > the card is running). You need to setup the wavelan via the pccard_ether script or hardcode the ifconfig in pccard.conf... An ifconfig via rc.conf wont work on the wavelan as it is found after the network setups.... -Søren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 6:26: 4 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 06:25:57 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 6CC3B37B404; Tue, 19 Dec 2000 06:25:57 -0800 (PST) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id GAA05841; Tue, 19 Dec 2000 06:25:48 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id GAA87896; Tue, 19 Dec 2000 06:25:47 -0800 (PST) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id GAA14731; Tue, 19 Dec 2000 06:25:46 -0800 (PST) From: Don Lewis Message-Id: <200012191425.GAA14731@salsa.gv.tsc.tdk.com> Date: Tue, 19 Dec 2000 06:25:46 -0800 In-Reply-To: <20001218182600.C1856@skriver.dk> References: <20001218182600.C1856@skriver.dk> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Jesper Skriver , Kris Kennaway , Poul-Henning Kamp Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Cc: security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Sender: gdonl@tsc.tdk.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Dec 18, 6:26pm, Jesper Skriver wrote: } Subject: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_ } Hi, } } I'm trying to find out what to to now regarding this. } } To summarize. } } PHK committed my original patch, this patch have the following } functionality } - When a ICMP administrative prohibited is recieved, it zap's } all TCP sessions in SYN-SENT state matching the source and destination } IP addresses and TCP port numbers in the IP header + 8 bytes from the } ICMP packet. } - It does not match against TCP sequence number } - disabled by default } } Yesterday I summitted a new diff, with the following changes to the } above. } } - Matches against the TCP sequence number in the IP header + 8 bytes } from the ICMP packet, against the last unacknowledged packet in the } TCP session matching the source and destination IP addresses and } TCP port numbers, these must be equal, thus it only matches if the } ICMP unreachable is for the last sent packet. } This is very secure, but in reality only has effect when setting up } the session, as it doesn't work with multiple outstanding packets, } it does work when setting up sessions, as the window will be zero } here. } this could be fixed by something like (*) } - Check for SYN-SENT state removed } - enabled by default } } What I will suggest at this point, is to do one of 2 things: } } 1) Extend the original diff PHK committed to check for sequence number, } and enable it by default, trivial as it's part of the second diff. } 2) Fix the second diff with the below code. } } For both I'll also add a extra check if the IP header in the ICMP packet } has options set, and if it has, don't act on it, this applies to both, } the reason for this is, if it has options set, we'll miss some (or all) } of the 8 bytes from the TCP header, and thus, we'll not know port and } sequence numbers. } } What do you prefer ? When I know this, I'll post a new diff for review. } } (*) replace } } if (tp->snd_una != tcp_sequence) { } } with } } /* } * First check: if sequence numbers have wrapped, don't act on this. } * Second -"- : if the sequence number from the ICMP packet is for a } * "old" packet, it's probably spoofed, dont't act on this. } * Third -"- : if the sequence number from the ICMP packet is for a } * packet from the future, it's spoofed, don't act on this. } */ } if ((tp->snd_max < tp->snd_una) || (tcp_sequence < tp->snd_una) || \ } (tp->snd_max < tcp_sequence)) { The sequence number comparisons should use the SEQ_xx() macros, which handle sequence number wrapping. The sanity checks should probably be the same as incoming RST validation, see the code in tcp_input() for the code and matching comments. In the SYN-SENT state, this would translate to: if (SEQ_LEQ(tcp_sequence, tp->iss) || SEQ_GT(tcp_sequence, tp->snd_max)) { /* ignore the icmp */ In the other states, RFC 793 says that the RST sanity checking is done by comparing the sequence number of the of the incoming RST packet against the transmit window (our outgoing acknowledgement numbers). The host sending the RST is supposed to copy the acknowledgement number from an incoming packet to the sequence number of the outgoing RST packet. This presents a bit of a problem if we try to do the same thing with ICMP, since it appears that the acknowledgement number is trimmed off the the data that is returned in the ICMP packet. It's been too long a day for me to figure out the security implications of nuking non-SYN-SENT connections based on the sequence number (which would still be better than nuking these connections without any additional checking). If we want to do this, the test should probably be: if (SEQ_LEQ(tcp_sequence, tp->snd_una) || SEQ_GT(tcp_sequence, tp->snd_max)) { though someone needs to check this for fencepost errors. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 7: 8:34 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 07:08:32 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from bilver.wjv.com (dhcp-1-184.n01.orldfl01.us.ra.verio.net [157.238.210.184]) by hub.freebsd.org (Postfix) with ESMTP id 2683037B400 for ; Tue, 19 Dec 2000 07:08:31 -0800 (PST) Received: (from bill@localhost) by bilver.wjv.com (8.9.3/8.9.3) id KAA22080 for freebsd-net@freebsd.org; Tue, 19 Dec 2000 10:08:29 -0500 (EST) (envelope-from bill) Date: Tue, 19 Dec 2000 10:07:45 -0500 From: Bill Vermillion To: freebsd-net@freebsd.org Subject: Re: Hacked computer Message-ID: <20001219100745.B21801@wjv.com> Reply-To: bv@bilver.wjv.com References: <3A3E5C33.793B5684@ocsinternet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mike@argos.org on Tue, Dec 19, 2000 at 03:24:15AM -0500 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 03:24:15AM -0500, Mike Nowlin thus spoke: > > If you've been rooted, then the logs are probably no good. But > > check you wtmp for logons, and messages, and well if you don't > > see anything unusual there then the've prabaly been wiped. Have > > regained root yet? ... ... > Due to the fact that "rm" really doesn't erase anything, the > contents were still there - doing a "strings" on the raw partition > will retrieve a lot. > With a bit of patience, it's amazing what will show up -- usually, > the former contents of /var/log/* will show up as large chunks > that are easily read... Turns out I found this guy's IP address > and the time the system was blasted - a call to MCI resulted in a > small amount of satisfaction... It's amazing what TCT - The Coroners Toolkit - will display. 'lazurus' causes files to rise from the dead. Used ahead of time you can run MD5 on the entire system so you can check everything if you beleive you've been broken into. Dan Farmer and Wietse Venema wrote it. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 7:22:41 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 07:22:39 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from bilver.wjv.com (dhcp-1-118.n01.orldfl01.us.ra.verio.net [157.238.210.118]) by hub.freebsd.org (Postfix) with ESMTP id 9FA8037B402 for ; Tue, 19 Dec 2000 07:22:37 -0800 (PST) Received: (from bill@localhost) by bilver.wjv.com (8.9.3/8.9.3) id KAA22152 for freebsd-net@freebsd.org; Tue, 19 Dec 2000 10:22:32 -0500 (EST) (envelope-from bill) Date: Tue, 19 Dec 2000 10:22:23 -0500 From: Bill Vermillion To: freebsd-net@freebsd.org Subject: Re: Hacked computer Message-ID: <20001219102223.C21801@wjv.com> Reply-To: bv@bilver.wjv.com References: <3A3E5C33.793B5684@ocsinternet.com> <20001219100745.B21801@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001219100745.B21801@wjv.com>; from bill@bilver.wjv.com on Tue, Dec 19, 2000 at 10:07:45AM -0500 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 10:07:45AM -0500, Bill Vermillion thus spoke: > On Tue, Dec 19, 2000 at 03:24:15AM -0500, Mike Nowlin thus spoke: Damn - been one of those days. I looked at the sources to get Wietse's name spelled right, and copied out the source address but negelected to include that. Bad form to follow up your own message - the relevant part is below for reference. Here are the addresses for the source: http://www.fish.com/forensics/ http://www.porcupine.org/forensics/ > > With a bit of patience, it's amazing what will show up -- usually, > > the former contents of /var/log/* will show up as large chunks > > that are easily read... Turns out I found this guy's IP address > > and the time the system was blasted - a call to MCI resulted in a > > small amount of satisfaction... > > It's amazing what TCT - The Coroners Toolkit - will display. > 'lazurus' causes files to rise from the dead. Used ahead of > time you can run MD5 on the entire system so you can check > everything if you beleive you've been broken into. > > Dan Farmer and Wietse Venema wrote it. > > Bill > -- > Bill Vermillion - bv @ wjv . com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 9:46:48 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 09:46:45 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.66]) by hub.freebsd.org (Postfix) with ESMTP id 5890937B400; Tue, 19 Dec 2000 09:46:44 -0800 (PST) Received: from billy-club.village.org (billy-club.village.org [10.0.0.3]) by rover.village.org (8.11.0/8.11.0) with ESMTP id eBJHkgs14074; Tue, 19 Dec 2000 10:46:43 -0700 (MST) (envelope-from imp@billy-club.village.org) Received: from billy-club.village.org (localhost [127.0.0.1]) by billy-club.village.org (8.11.1/8.8.3) with ESMTP id eBJHlDs37049; Tue, 19 Dec 2000 10:47:13 -0700 (MST) Message-Id: <200012191747.eBJHlDs37049@billy-club.village.org> To: Soren Schmidt Subject: Re: PC with two network cards Cc: anar@ees2.oulu.fi (Ana Romero), freeBSD-mobile@FreeBSD.ORG, freeBSD-net@FreeBSD.ORG In-reply-to: Your message of "Tue, 19 Dec 2000 11:37:35 +0100." <200012191037.LAA20319@freebsd.dk> References: <200012191037.LAA20319@freebsd.dk> Date: Tue, 19 Dec 2000 10:47:12 -0700 From: Warner Losh Sender: imp@billy-club.village.org Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200012191037.LAA20319@freebsd.dk> Soren Schmidt writes: : You need to setup the wavelan via the pccard_ether script or hardcode : the ifconfig in pccard.conf... An ifconfig via rc.conf wont work on : the wavelan as it is found after the network setups.... Or you need to add -z to the pccard flags: pccardd_flags="-z" in /etc/rc.conf. This will force pccardd to wait until it has succeeded or failed to attach a device in each slot before going into the background. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 10:19:38 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 10:19:34 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 593EE37B400; Tue, 19 Dec 2000 10:19:30 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 253CB3E4F; Tue, 19 Dec 2000 19:19:29 +0100 (CET) Date: Tue, 19 Dec 2000 19:19:29 +0100 From: Jesper Skriver To: Don Lewis Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001219191929.D40568@skriver.dk> References: <20001218182600.C1856@skriver.dk> <200012191425.GAA14731@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012191425.GAA14731@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Tue, Dec 19, 2000 at 06:25:46AM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 06:25:46AM -0800, Don Lewis wrote: > In the other states, RFC 793 says that the RST sanity checking is done by > comparing the sequence number of the of the incoming RST packet against > the transmit window (our outgoing acknowledgement numbers). The host > sending the RST is supposed to copy the acknowledgement number from > an incoming packet to the sequence number of the outgoing RST packet. > This presents a bit of a problem if we try to do the same thing with ICMP, > since it appears that the acknowledgement number is trimmed off the the > data that is returned in the ICMP packet. > > It's been too long a day for me to figure out the security implications > of nuking non-SYN-SENT connections based on the sequence number (which > would still be better than nuking these connections without any additional > checking). If we want to do this, the test should probably be: > > if (SEQ_LEQ(tcp_sequence, tp->snd_una) || > SEQ_GT(tcp_sequence, tp->snd_max)) { > > though someone needs to check this for fencepost errors. It should be if (SEQ_LT(tcp_sequence, tp->snd_una) || SEQ_GT(tcp_sequence, tp->snd_max)) { As the sequence number will be == tp->snd_una when the window is zero. I'll submit a new later tonight, as I havn't heard anything, I'll make a sysctl control if it should have effect on all sessions, or only those in SYN-SENT state, defaulting to those in SYN-SENT state only. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 12:58:46 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 12:58:43 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id 4A56437B400 for ; Tue, 19 Dec 2000 12:58:41 -0800 (PST) Received: from wkst ([209.16.228.146]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id QAA00528 for ; Tue, 19 Dec 2000 16:02:09 -0500 Reply-To: From: "Peter Brezny" To: Subject: Date: Tue, 19 Dec 2000 15:57:30 -0800 Message-ID: <002d01c06a17$73302120$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a way that I can temporarely supress Kernel arp errors from poping up on the console until i'm done with my config? I'm reconfiguring a network into separate internal and external segments separated by a firewall. However it's going to take me a little while to do it, and in order to keep things functioning until it's done, I'm gong to have to keep both the inside and outside nic's plugged into the same switch (which gives a lot of errors like this). /kernel: arp: 10.10.1.70 is on rl0 but got reply from (mac) on fpx0 TIA Peter Brezny SysAdmin Services Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 12:58:50 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 12:58:46 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from ebola.biohz.net (ebola.biohz.net [206.80.1.35]) by hub.freebsd.org (Postfix) with ESMTP id 5E48937B402; Tue, 19 Dec 2000 12:58:44 -0800 (PST) Received: from flu (localhost [127.0.0.1]) by ebola.biohz.net (Postfix) with SMTP id 7F2D43A3FC; Tue, 19 Dec 2000 12:58:38 -0800 (PST) Message-ID: <024e01c069fe$75e49c20$0402010a@biohz.net> From: "Renaud Waldura" To: "Ana Romero" Cc: , References: <200012191037.LAA20319@freebsd.dk> <200012191747.eBJHlDs37049@billy-club.village.org> Subject: Re: PC with two network cards (one of them a Wavelan!) Date: Tue, 19 Dec 2000 12:58:38 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Also read this, a complete HOWTO about wireless networking and FreeBSD: http://www.live.com/wireless/unix-base-station.html It should answer your question fully. ----- Original Message ----- From: "Warner Losh" To: "Soren Schmidt" Cc: "Ana Romero" ; ; Sent: Tuesday, December 19, 2000 9:47 AM Subject: Re: PC with two network cards > In message <200012191037.LAA20319@freebsd.dk> Soren Schmidt writes: > : You need to setup the wavelan via the pccard_ether script or hardcode > : the ifconfig in pccard.conf... An ifconfig via rc.conf wont work on > : the wavelan as it is found after the network setups.... > > Or you need to add -z to the pccard flags: > pccardd_flags="-z" > in /etc/rc.conf. This will force pccardd to wait until it has > succeeded or failed to attach a device in each slot before going into > the background. > > Warner > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 13:27:49 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 13:27:33 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 5A3EC37B402; Tue, 19 Dec 2000 13:27:32 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id DEBB53E4B; Tue, 19 Dec 2000 22:27:30 +0100 (CET) Date: Tue, 19 Dec 2000 22:27:30 +0100 From: Jesper Skriver To: Kris Kennaway , Poul-Henning Kamp Cc: security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.org Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001219222730.A29741@skriver.dk> References: <20001218182600.C1856@skriver.dk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001218182600.C1856@skriver.dk>; from jesper@skriver.dk on Mon, Dec 18, 2000 at 06:26:00PM +0100 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Dec 18, 2000 at 06:26:00PM +0100, Jesper Skriver wrote: > Hi, > > I'm trying to find out what to to now regarding this. > > To summarize. > > PHK committed my original patch, this patch have the following > functionality > - When a ICMP administrative prohibited is recieved, it zap's > all TCP sessions in SYN-SENT state matching the source and destination > IP addresses and TCP port numbers in the IP header + 8 bytes from the > ICMP packet. > - It does not match against TCP sequence number > - disabled by default > > Yesterday I summitted a new diff, with the following changes to the > above. > > - Matches against the TCP sequence number in the IP header + 8 bytes > from the ICMP packet, against the last unacknowledged packet in the > TCP session matching the source and destination IP addresses and > TCP port numbers, these must be equal, thus it only matches if the > ICMP unreachable is for the last sent packet. > This is very secure, but in reality only has effect when setting up > the session, as it doesn't work with multiple outstanding packets, > it does work when setting up sessions, as the window will be zero > here. > this could be fixed by something like (*) > - Check for SYN-SENT state removed > - enabled by default I've got little response to my previous mail, so here is a new diff (relative to -current), which I suggest to commit, I think this solves all the issues people has brought up. It has the following functionality. - If the sysctl net.inet.tcp.icmp_admin_prohib_like_rst == 1 (default) it enables the below. - When a ICMP administrative prohibited is recieved, it check is the IP header attached to the ICMP packet has any options set, if it has it ignores it. The reason for this is, if any options is set the extra 8 bytes is no longer the first 8 bytes from the TCP header, source/ destination ports and sequence number, which we need to find the right TCP session. - Then it goes through the list of active TCP sessions, if it finds one with the same source/destination IP addresses and TCP port numbers, it checks if the sequence number it got from the ICMP packet is one of a unacknowledged packet from this sessions, if it's not, it ignores it. - If the sysctl net.inet.tcp.icmp_like_rst_syn_sent_only == 1 (default) it will only zap connections in SYN-SENT state, if it's == 0 it will zap the connection regardless of current state. In a addition to this, I've done some cleanup compared to the diff I posted on sunday. This is also submitted as PR kern/23655 Someome please review this. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Description: tcp_drop_icmp_unreach2.diff Content-Disposition: attachment; filename="tcp_drop_icmp_unreach2.diff" diff -ru sys/netinet.old/in_pcb.c sys/netinet/in_pcb.c --- sys/netinet.old/in_pcb.c Sun Dec 17 18:57:24 2000 +++ sys/netinet/in_pcb.c Tue Dec 19 21:18:58 2000 @@ -667,13 +667,14 @@ * any errors for each matching socket. */ void -in_pcbnotify(head, dst, fport_arg, laddr, lport_arg, cmd, notify) +in_pcbnotify(head, dst, fport_arg, laddr, lport_arg, cmd, notify, tcp_sequence) struct inpcbhead *head; struct sockaddr *dst; u_int fport_arg, lport_arg; struct in_addr laddr; int cmd; void (*notify) __P((struct inpcb *, int)); + u_int32_t tcp_sequence; { register struct inpcb *inp, *oinp; struct in_addr faddr; @@ -714,6 +715,15 @@ (lport && inp->inp_lport != lport) || (laddr.s_addr && inp->inp_laddr.s_addr != laddr.s_addr) || (fport && inp->inp_fport != fport)) { + inp = inp->inp_list.le_next; + continue; + } + /* + * If tcp_sequence is set, then skip sessions where + * the sequence number is not one of a unacknowledged + * packet. + */ + if ((tcp_sequence) && (tcp_seq_vs_sess(inp, tcp_sequence) == 0)) { inp = inp->inp_list.le_next; continue; } diff -ru sys/netinet.old/in_pcb.h sys/netinet/in_pcb.h --- sys/netinet.old/in_pcb.h Sun Dec 17 18:57:24 2000 +++ sys/netinet/in_pcb.h Sun Dec 17 22:47:39 2000 @@ -290,7 +290,7 @@ struct in_addr, u_int, struct in_addr, u_int, int, struct ifnet *)); void in_pcbnotify __P((struct inpcbhead *, struct sockaddr *, - u_int, struct in_addr, u_int, int, void (*)(struct inpcb *, int))); + u_int, struct in_addr, u_int, int, void (*)(struct inpcb *, int), u_int32_t)); void in_pcbrehash __P((struct inpcb *)); int in_setpeeraddr __P((struct socket *so, struct sockaddr **nam)); int in_setsockaddr __P((struct socket *so, struct sockaddr **nam)); diff -ru sys/netinet.old/tcp_subr.c sys/netinet/tcp_subr.c --- sys/netinet.old/tcp_subr.c Sun Dec 17 18:57:24 2000 +++ sys/netinet/tcp_subr.c Tue Dec 19 21:18:00 2000 @@ -139,9 +139,20 @@ * as required by rfc1122 section 3.2.2.1 */ -static int icmp_admin_prohib_like_rst = 0; +static int icmp_admin_prohib_like_rst = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_admin_prohib_like_rst, CTLFLAG_RW, - &icmp_admin_prohib_like_rst, 0, "Treat ICMP administratively prohibited messages like TCP RST, rfc1122 section 3.2.2.1"); + &icmp_admin_prohib_like_rst, 0, + "Treat ICMP administratively prohibited messages like TCP RST, rfc1122 section 3.2.2.1"); + +/* + * When icmp_admin_prohib_like_rst is enabled, only act on + * sessions in SYN-SENT state + */ + +static int icmp_like_rst_syn_sent_only = 1; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_like_rst_syn_sent_only, CTLFLAG_RW, + &icmp_like_rst_syn_sent_only, 0, + "When icmp_admin_prohib_like_rst is enabled, only act on sessions in SYN-SENT state"); static void tcp_cleartaocache __P((void)); static void tcp_notify __P((struct inpcb *, int)); @@ -967,10 +978,19 @@ register struct ip *ip = vip; register struct tcphdr *th; void (*notify) __P((struct inpcb *, int)) = tcp_notify; + tcp_seq tcp_sequence = 0; if (cmd == PRC_QUENCH) notify = tcp_quench; - else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && (ip)) + else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && + (ip) && ((IP_VHL_HL(ip->ip_vhl) << 2) == sizeof(struct ip))) + /* + * Only go here if the length of the IP header in the ICMP packet + * is 20 bytes, that is it doesn't have options, if it does have + * options, we will not have the first 8 bytes of the TCP header, + * and thus we cannot match against TCP source/destination port + * numbers and TCP sequence number. + */ notify = tcp_drop_syn_sent; else if (cmd == PRC_MSGSIZE) notify = tcp_mtudisc; @@ -980,10 +1000,12 @@ if (ip) { th = (struct tcphdr *)((caddr_t)ip + (IP_VHL_HL(ip->ip_vhl) << 2)); + if (notify == tcp_drop_syn_sent) + tcp_sequence = ntohl(th->th_seq); in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport, - cmd, notify); + cmd, notify, tcp_sequence); } else - in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify); + in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify, 0); } #ifdef INET6 @@ -1070,6 +1092,30 @@ #endif /* INET6 */ /* + * Check if the supplied TCP sequence number is a sequence number + * for a sent but unacknowledged packet on the given TCP session. + */ +int +tcp_seq_vs_sess(inp, tcp_sequence) + struct inpcb *inp; + tcp_seq tcp_sequence; +{ + struct tcpcb *tp = intotcpcb(inp); + /* + * If the sequence number is less than that of the last + * unacknowledged packet, or greater than that of the + * last sent, the given sequence number is not that + * of a sent but unacknowledged packet for this session. + */ + if (SEQ_LT(tcp_sequence, tp->snd_una) || + SEQ_GT(tcp_sequence, tp->snd_max)) { + return(0); + } else { + return(1); + } +} + +/* * When a source quench is received, close congestion window * to one segment. We will gradually open it again as we proceed. */ @@ -1086,7 +1132,9 @@ /* * When a ICMP unreachable is recieved, drop the - * TCP connection, but only if in SYN_SENT + * TCP connection, depending on the sysctl + * icmp_like_rst_syn_sent_only, it only drops + * the session if it's in SYN-SENT state */ void tcp_drop_syn_sent(inp, errno) @@ -1094,8 +1142,9 @@ int errno; { struct tcpcb *tp = intotcpcb(inp); - if((tp) && (tp->t_state == TCPS_SYN_SENT)) - tcp_drop(tp, errno); + if((tp) && ((icmp_like_rst_syn_sent_only == 0) || + (tp->t_state == TCPS_SYN_SENT))) + tcp_drop(tp, errno); } /* diff -ru sys/netinet.old/tcp_var.h sys/netinet/tcp_var.h --- sys/netinet.old/tcp_var.h Sun Dec 17 18:57:24 2000 +++ sys/netinet/tcp_var.h Tue Dec 19 20:16:54 2000 @@ -392,6 +392,7 @@ struct tcpcb * tcp_newtcpcb __P((struct inpcb *)); int tcp_output __P((struct tcpcb *)); +int tcp_seq_vs_sess __P((struct inpcb *, tcp_seq)); void tcp_quench __P((struct inpcb *, int)); void tcp_respond __P((struct tcpcb *, void *, struct tcphdr *, struct mbuf *, tcp_seq, tcp_seq, int)); diff -ru sys/netinet.old/udp_usrreq.c sys/netinet/udp_usrreq.c --- sys/netinet.old/udp_usrreq.c Sun Dec 17 18:57:24 2000 +++ sys/netinet/udp_usrreq.c Sun Dec 17 19:59:53 2000 @@ -512,9 +512,9 @@ if (ip) { uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport, - cmd, udp_notify); + cmd, udp_notify, 0); } else - in_pcbnotify(&udb, sa, 0, zeroin_addr, 0, cmd, udp_notify); + in_pcbnotify(&udb, sa, 0, zeroin_addr, 0, cmd, udp_notify, 0); } static int --17pEHd4RhPHOinZp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 13:34:37 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 13:34:35 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from atro.pine.nl (atro.pine.nl [213.156.0.2]) by hub.freebsd.org (Postfix) with ESMTP id AAF5B37B400 for ; Tue, 19 Dec 2000 13:34:34 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by atro.pine.nl (8.11.1/8.11.1) with ESMTP id eBJLYQb23880; Tue, 19 Dec 2000 22:34:26 +0100 (MET) Date: Tue, 19 Dec 2000 22:34:26 +0100 (MET) From: Mark Lastdrager To: Peter Brezny Cc: Subject: Re: your mail In-Reply-To: <002d01c06a17$73302120$46010a0a@sysadmininc.com> Message-ID: X-NCC-RegID: nl.pine MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At Tue, 19 Dec 2000, owner-freebsd-net@FreeBSD.ORG wrote: >Is there a way that I can temporarely supress Kernel arp errors from poping >up on the console until i'm done with my config? >I'm reconfiguring a network into separate internal and external segments >separated by a firewall. However it's going to take me a little while to do >it, and in order to keep things functioning until it's done, I'm gong to >have to keep both the inside and outside nic's plugged into the same switch >(which gives a lot of errors like this). >/kernel: arp: 10.10.1.70 is on rl0 but got reply from (mac) on fpx0 killall syslogd? (or tweak /etc/syslog.conf a little) Mark Lastdrager -- Pine Internet BV :: tel. +31-70-3111010 :: fax. +31-70-3111011 PGP 92BB81D1 fingerprint 0059 7D7B C02B 38D2 A853 2785 8C87 3AF1 Today's excuse: Bogon emissions To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 13:49:11 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 13:49:10 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by hub.freebsd.org (Postfix) with ESMTP id 716C137B400 for ; Tue, 19 Dec 2000 13:49:09 -0800 (PST) Received: from localhost (ghelmer@localhost) by magellan.palisadesys.com (8.11.0/8.11.0) with ESMTP id eBJLn7603677; Tue, 19 Dec 2000 15:49:07 -0600 Date: Tue, 19 Dec 2000 15:49:07 -0600 (CST) From: Guy Helmer To: Peter Brezny Cc: freebsd-net@FreeBSD.ORG Subject: Re: your mail In-Reply-To: <002d01c06a17$73302120$46010a0a@sysadmininc.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 19 Dec 2000, Peter Brezny wrote: > Is there a way that I can temporarely supress Kernel arp errors from poping > up on the console until i'm done with my config? > I'm reconfiguring a network into separate internal and external segments > separated by a firewall. However it's going to take me a little while to do > it, and in order to keep things functioning until it's done, I'm gong to > have to keep both the inside and outside nic's plugged into the same switch > (which gives a lot of errors like this). > /kernel: arp: 10.10.1.70 is on rl0 but got reply from (mac) on fpx0 > TIA > Peter Brezny > SysAdmin Services Inc. I patch if_ether.c so that it doesn't complain; I'm thinking about adding a sysctl variable to allow this behavior to be changed at runtime. *** sys/netinet/if_ether.c.ORIG Tue Oct 24 14:39:04 2000 --- sys/netinet/if_ether.c Tue Nov 21 05:32:04 2000 *************** *** 557,567 **** --- 557,569 ---- if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) { #ifndef BRIDGE /* the following is not an error when doing bridging */ if (rt->rt_ifp != &ac->ac_if) { + #ifdef NAGNAGNAG log(LOG_ERR, "arp: %s is on %s%d but got reply from %6D on %s%d\n", inet_ntoa(isaddr), rt->rt_ifp->if_name, rt->rt_ifp->if_unit, ea->arp_sha, ":", ac->ac_if.if_name, ac->ac_if.if_unit); + #endif goto reply; } #endif -- Guy Helmer, Ph.D. Sr. Software Engineer, Palisade Systems --- ghelmer@palisadesys.com http://www.palisadesys.com/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 15:28:52 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 15:28:51 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from rigel.cs.pdx.edu (rigel.cs.pdx.edu [131.252.208.59]) by hub.freebsd.org (Postfix) with ESMTP id EBFD037B400 for ; Tue, 19 Dec 2000 15:28:50 -0800 (PST) Received: from pollux.cs.pdx.edu (harkirat@pollux.cs.pdx.edu [131.252.223.76]) by rigel.cs.pdx.edu (8.9.1/8.9.1) with ESMTP id PAA14004 for ; Tue, 19 Dec 2000 15:28:49 -0800 (PST) Received: from localhost (harkirat@localhost) by pollux.cs.pdx.edu (8.8.6/8.8.5) with ESMTP id PAA20978 for ; Tue, 19 Dec 2000 15:28:48 -0800 (PST) X-Authentication-Warning: pollux.cs.pdx.edu: harkirat owned process doing -bs Date: Tue, 19 Dec 2000 15:28:48 -0800 (PST) From: Harkitrat Singh To: freebsd-net@FreeBSD.ORG Subject: Hosname lookup failure In-Reply-To: <20001219102223.C21801@wjv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I have a tiny laptop, Libretto100CT, I downloaded freeBsd (4.2)on it and from my home it was working fine. I brought it to school and now it is not able to connect to network. I changed the nameserver IP. If I do ping with IP address then I get error "host route not found". In case I use the name then I get "Host name lookup failure". Ping to localhost is working fine. Please give me some suggestions. -Harkirat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 15:36:45 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 15:36:42 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mario.zyan.com (mario.zyan.com [209.250.96.140]) by hub.freebsd.org (Postfix) with ESMTP id D385E37B400 for ; Tue, 19 Dec 2000 15:36:41 -0800 (PST) Received: from dopey.weyrich.com (orville@node-64-249-12-250.dslspeed.zyan.com [64.249.12.250]) by mario.zyan.com (8.9.3/8.9.3) with ESMTP id PAA28924 for ; Tue, 19 Dec 2000 15:36:36 -0800 (PST) (envelope-from orville@weyrich.com) Received: from localhost (orville@localhost) by dopey.weyrich.com (8.9.3/8.6.9) with ESMTP id RAA13621; Tue, 19 Dec 2000 17:06:16 -0700 Date: Tue, 19 Dec 2000 17:06:16 -0700 (MST) From: "Orville R. Weyrich.Jr" To: Harkitrat Singh Cc: freebsd-net@FreeBSD.ORG Subject: Re: Hosname lookup failure In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Do you have to set a default route to a gateway server? Ask your network administrator (or check the configuration of a buddy's machine). On Tue, 19 Dec 2000, Harkitrat Singh wrote: > > Hi! > > I have a tiny laptop, Libretto100CT, I downloaded freeBsd (4.2)on it and > from my home it was working fine. I brought it to school and now it is not > able to connect to network. I changed the nameserver IP. If I do ping with > IP address then I get error "host route not found". In case I use the name > then I get "Host name lookup failure". Ping to localhost is working fine. > > Please give me some suggestions. > > -Harkirat > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > =================================================================== IF YOU WANT REFORM >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> VOTE REFORM ------------------------------------------------------------------- Orville R. Weyrich, Jr. Weyrich Computer Consulting mailto:orville@weyrich.com KD7HJV http://www.weyrich.com ------------------------------------------------------------------- Visit our online collection of book reviews: http://www.weyrich.com/book_reviews/ Ask about our world wide web services! ------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 17:24:54 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 17:24:51 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id B26AE37B400; Tue, 19 Dec 2000 17:24:50 -0800 (PST) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id RAA19290; Tue, 19 Dec 2000 17:24:47 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id RAA93545; Tue, 19 Dec 2000 17:24:47 -0800 (PST) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id RAA17477; Tue, 19 Dec 2000 17:24:46 -0800 (PST) From: Don Lewis Message-Id: <200012200124.RAA17477@salsa.gv.tsc.tdk.com> Date: Tue, 19 Dec 2000 17:24:46 -0800 In-Reply-To: <20001219191929.D40568@skriver.dk> References: <20001218182600.C1856@skriver.dk> <200012191425.GAA14731@salsa.gv.tsc.tdk.com> <20001219191929.D40568@skriver.dk> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Jesper Skriver , Don Lewis Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Sender: gdonl@tsc.tdk.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Dec 19, 7:19pm, Jesper Skriver wrote: } Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c } } I'll submit a new later tonight, as I havn't heard anything, I'll make a } sysctl control if it should have effect on all sessions, or only those } in SYN-SENT state, defaulting to those in SYN-SENT state only. Do all ICMP unreachables kill off sessions in in the SYN-SENT state or only the administratively prohibited flavor? If all of them do, then only administratively prohibited ICMP unreachables should kill off established connections so that established sessions aren't killed off by routing flaps and other transient events. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 19 18:21:46 2000 From owner-freebsd-net@FreeBSD.ORG Tue Dec 19 18:21:42 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.getrelevant.com (mail.getrelevant.com [63.211.149.12]) by hub.freebsd.org (Postfix) with ESMTP id 579F937B400; Tue, 19 Dec 2000 18:21:42 -0800 (PST) Received: from khmere.com ([63.211.149.44]) by mail.getrelevant.com (Lotus Domino Release 5.0.5) with ESMTP id 2000121918185077:17647 ; Tue, 19 Dec 2000 18:18:50 -0800 Sender: nathan@FreeBSD.ORG Message-ID: <3A40179A.4708D29@khmere.com> Date: Tue, 19 Dec 2000 18:21:14 -0800 From: Nathan Boeger Organization: Getrelevant X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-net@FreeBSD.ORG" , "freebsd-hackers@FreeBSD.ORG" Subject: eepro100 dual port cards with failover ? X-MIMETrack: Itemize by SMTP Server on notes/GetRelevant(Release 5.0.5 |September 22, 2000) at 12/19/2000 06:18:50 PM, Serialize by Router on notes/GetRelevant(Release 5.0.5 |September 22, 2000) at 12/19/2000 06:18:56 PM, Serialize complete at 12/19/2000 06:18:56 PM Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We need to use the dual Intel PRO/100+ dual port server adapter, and I wanted to know if FreeBSD supports them ? I guess that the card is a dual port (2 x RJ45) card and it uses only 1 IP for both ports and if one switch goes down it will automatically failure to the other port ? Is this at the driver level or at the hardware level ? (if anyone knows ) and if FreeBSD does not support them then can anyone recommend something similar ? thank you nathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 1:28:42 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 01:28:38 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 194D237B400; Wed, 20 Dec 2000 01:28:38 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id E7F8A3E4A; Wed, 20 Dec 2000 10:28:36 +0100 (CET) Date: Wed, 20 Dec 2000 10:28:36 +0100 From: Jesper Skriver To: Don Lewis Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001220102836.A71228@skriver.dk> References: <20001218182600.C1856@skriver.dk> <200012191425.GAA14731@salsa.gv.tsc.tdk.com> <20001219191929.D40568@skriver.dk> <200012200124.RAA17477@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012200124.RAA17477@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Tue, Dec 19, 2000 at 05:24:46PM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 19, 2000 at 05:24:46PM -0800, Don Lewis wrote: > On Dec 19, 7:19pm, Jesper Skriver wrote: > } Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c > } > } I'll submit a new later tonight, as I havn't heard anything, I'll make a > } sysctl control if it should have effect on all sessions, or only those > } in SYN-SENT state, defaulting to those in SYN-SENT state only. > > Do all ICMP unreachables kill off sessions in in the SYN-SENT state or > only the administratively prohibited flavor? Only the administratively prohibited ones. > If all of them do, then > only administratively prohibited ICMP unreachables should kill off > established connections so that established sessions aren't killed > off by routing flaps and other transient events. Agree, but then we need a new PRC_ADMINPROHIB or something like that, I'll look at that, but first I think we should get this committed, and we can do the other as a followup. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 1:54:42 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 01:54:39 2000 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3B37D37B400; Wed, 20 Dec 2000 01:54:39 -0800 (PST) Received: (from jkoshy@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id eBK9sdF96403; Wed, 20 Dec 2000 01:54:39 -0800 (PST) (envelope-from jkoshy) Date: Wed, 20 Dec 2000 01:54:39 -0800 (PST) From: Message-Id: <200012200954.eBK9sdF96403@freefall.freebsd.org> X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-net@FreeBSD.org Cc: jkh@FreeBSD.org, freebsd-advocacy@FreeBSD.org Subject: IPv6 status in FreeBSD Mime-Version: 1.0 Content-Type: text/plain Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, It so happens that there is an oppurtunity to present a short talk on FreeBSD at an upcoming global IPv6 conference being held nearby, and as a committer living in the vicinity, I'm considering doing some advocacy and talking about our V6 capability in the 4-STABLE and 5-CURRENT branches. If you have information (URLs, docs, earlier presentations, ...) that I could look at and borrow from, then these will be much appreciated. The URL for the conference: http://ipv6.india.hp.com/summit/index.htm Thanks, Koshy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 2:46:43 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 02:46:26 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 5A42837B400; Wed, 20 Dec 2000 02:46:26 -0800 (PST) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id CAA26362; Wed, 20 Dec 2000 02:46:22 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id CAA96135; Wed, 20 Dec 2000 02:46:21 -0800 (PST) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id CAA19456; Wed, 20 Dec 2000 02:46:21 -0800 (PST) From: Don Lewis Message-Id: <200012201046.CAA19456@salsa.gv.tsc.tdk.com> Date: Wed, 20 Dec 2000 02:46:21 -0800 In-Reply-To: <20001219222730.A29741@skriver.dk> References: <20001218182600.C1856@skriver.dk> <20001219222730.A29741@skriver.dk> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Jesper Skriver , Kris Kennaway , Poul-Henning Kamp Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Cc: security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Sender: gdonl@tsc.tdk.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Dec 19, 10:27pm, Jesper Skriver wrote: } Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c } } --17pEHd4RhPHOinZp } Content-Type: text/plain; charset=us-ascii } Content-Disposition: inline } } On Mon, Dec 18, 2000 at 06:26:00PM +0100, Jesper Skriver wrote: } > Hi, } > } > I'm trying to find out what to to now regarding this. } > } > To summarize. } > } > PHK committed my original patch, this patch have the following } > functionality } > - When a ICMP administrative prohibited is recieved, it zap's } > all TCP sessions in SYN-SENT state matching the source and destination } > IP addresses and TCP port numbers in the IP header + 8 bytes from the } > ICMP packet. } > - It does not match against TCP sequence number } > - disabled by default } > } > Yesterday I summitted a new diff, with the following changes to the } > above. } > } > - Matches against the TCP sequence number in the IP header + 8 bytes } > from the ICMP packet, against the last unacknowledged packet in the } > TCP session matching the source and destination IP addresses and } > TCP port numbers, these must be equal, thus it only matches if the } > ICMP unreachable is for the last sent packet. } > This is very secure, but in reality only has effect when setting up } > the session, as it doesn't work with multiple outstanding packets, } > it does work when setting up sessions, as the window will be zero } > here. } > this could be fixed by something like (*) } > - Check for SYN-SENT state removed } > - enabled by default } } I've got little response to my previous mail, so here is a new diff } (relative to -current), which I suggest to commit, I think this solves } all the issues people has brought up. } } It has the following functionality. } } - If the sysctl net.inet.tcp.icmp_admin_prohib_like_rst == 1 (default) } it enables the below. } - When a ICMP administrative prohibited is recieved, it check is the } IP header attached to the ICMP packet has any options set, if it has } it ignores it. The reason for this is, if any options is set the extra } 8 bytes is no longer the first 8 bytes from the TCP header, source/ } destination ports and sequence number, which we need to find the } right TCP session. According to Stevens, we should get the first 8 bytes of the TCP header even if there are options on the ICMP packet. We would have to be careful to do sanity checking in this case, as well as guard against unaligned accesses to the TCP header data. } - Then it goes through the list of active TCP sessions, if it finds one } with the same source/destination IP addresses and TCP port numbers, it } checks if the sequence number it got from the ICMP packet is one of } a unacknowledged packet from this sessions, if it's not, it ignores it. } - If the sysctl net.inet.tcp.icmp_like_rst_syn_sent_only == 1 (default) } it will only zap connections in SYN-SENT state, if it's == 0 it will } zap the connection regardless of current state. } } In a addition to this, I've done some cleanup compared to the diff I } posted on sunday. } } This is also submitted as PR kern/23655 } } Someome please review this. } } /Jesper } } -- } Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 } Work: Network manager @ AS3292 (Tele Danmark DataNetworks) } Private: Geek @ AS2109 (A much smaller network ;-) } } One Unix to rule them all, One Resolver to find them, } One IP to bring them all and in the zone to bind them. } } --17pEHd4RhPHOinZp } Content-Type: text/plain; charset=us-ascii } Content-Description: tcp_drop_icmp_unreach2.diff } Content-Disposition: attachment; filename="tcp_drop_icmp_unreach2.diff" } } diff -ru sys/netinet.old/in_pcb.c sys/netinet/in_pcb.c } --- sys/netinet.old/in_pcb.c Sun Dec 17 18:57:24 2000 } +++ sys/netinet/in_pcb.c Tue Dec 19 21:18:58 2000 } @@ -667,13 +667,14 @@ } * any errors for each matching socket. } */ } void } -in_pcbnotify(head, dst, fport_arg, laddr, lport_arg, cmd, notify) } +in_pcbnotify(head, dst, fport_arg, laddr, lport_arg, cmd, notify, tcp_sequence) } struct inpcbhead *head; } struct sockaddr *dst; } u_int fport_arg, lport_arg; } struct in_addr laddr; } int cmd; } void (*notify) __P((struct inpcb *, int)); } + u_int32_t tcp_sequence; } { } register struct inpcb *inp, *oinp; } struct in_addr faddr; } @@ -714,6 +715,15 @@ } (lport && inp->inp_lport != lport) || } (laddr.s_addr && inp->inp_laddr.s_addr != laddr.s_addr) || } (fport && inp->inp_fport != fport)) { } + inp = inp->inp_list.le_next; } + continue; Wouldn't it be more cleaner (gets rid of the loop) and more efficient (if we're getting blasted with ICMP messages) to use in_pcblookup_hash()? } + } } + /* } + * If tcp_sequence is set, then skip sessions where } + * the sequence number is not one of a unacknowledged } + * packet. } + */ } + if ((tcp_sequence) && (tcp_seq_vs_sess(inp, tcp_sequence) == 0)) { } inp = inp->inp_list.le_next; } continue; We should pass in an extra flag to indicate if tcp_sequence is valid, since it can legally be zero. We should also bail out if the sequence check fails, since it isn't possible for there to be another connection with the same src/srcport/dst/dstport, so there is no sense in continuing the search. } } } diff -ru sys/netinet.old/in_pcb.h sys/netinet/in_pcb.h } --- sys/netinet.old/in_pcb.h Sun Dec 17 18:57:24 2000 } +++ sys/netinet/in_pcb.h Sun Dec 17 22:47:39 2000 } @@ -290,7 +290,7 @@ } struct in_addr, u_int, struct in_addr, u_int, } int, struct ifnet *)); } void in_pcbnotify __P((struct inpcbhead *, struct sockaddr *, } - u_int, struct in_addr, u_int, int, void (*)(struct inpcb *, int))); } + u_int, struct in_addr, u_int, int, void (*)(struct inpcb *, int), u_int32_t)); } void in_pcbrehash __P((struct inpcb *)); } int in_setpeeraddr __P((struct socket *so, struct sockaddr **nam)); } int in_setsockaddr __P((struct socket *so, struct sockaddr **nam)); } diff -ru sys/netinet.old/tcp_subr.c sys/netinet/tcp_subr.c } --- sys/netinet.old/tcp_subr.c Sun Dec 17 18:57:24 2000 } +++ sys/netinet/tcp_subr.c Tue Dec 19 21:18:00 2000 } @@ -139,9 +139,20 @@ } * as required by rfc1122 section 3.2.2.1 } */ } } -static int icmp_admin_prohib_like_rst = 0; } +static int icmp_admin_prohib_like_rst = 1; } SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_admin_prohib_like_rst, CTLFLAG_RW, } - &icmp_admin_prohib_like_rst, 0, "Treat ICMP administratively prohibited messages like TCP RST, rfc1122 section 3.2.2.1"); } + &icmp_admin_prohib_like_rst, 0, } + "Treat ICMP administratively prohibited messages like TCP RST, rfc1122 section 3.2.2.1"); } + } +/* } + * When icmp_admin_prohib_like_rst is enabled, only act on } + * sessions in SYN-SENT state } + */ } + } +static int icmp_like_rst_syn_sent_only = 1; } +SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_like_rst_syn_sent_only, CTLFLAG_RW, } + &icmp_like_rst_syn_sent_only, 0, } + "When icmp_admin_prohib_like_rst is enabled, only act on sessions in SYN-SENT state"); } } static void tcp_cleartaocache __P((void)); } static void tcp_notify __P((struct inpcb *, int)); } @@ -967,10 +978,19 @@ } register struct ip *ip = vip; } register struct tcphdr *th; } void (*notify) __P((struct inpcb *, int)) = tcp_notify; } + tcp_seq tcp_sequence = 0; } } if (cmd == PRC_QUENCH) } notify = tcp_quench; } - else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && (ip)) } + else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && } + (ip) && ((IP_VHL_HL(ip->ip_vhl) << 2) == sizeof(struct ip))) } + /* } + * Only go here if the length of the IP header in the ICMP packet } + * is 20 bytes, that is it doesn't have options, if it does have } + * options, we will not have the first 8 bytes of the TCP header, } + * and thus we cannot match against TCP source/destination port } + * numbers and TCP sequence number. } + */ } notify = tcp_drop_syn_sent; } else if (cmd == PRC_MSGSIZE) } notify = tcp_mtudisc; } @@ -980,10 +1000,12 @@ } if (ip) { } th = (struct tcphdr *)((caddr_t)ip } + (IP_VHL_HL(ip->ip_vhl) << 2)); } + if (notify == tcp_drop_syn_sent) } + tcp_sequence = ntohl(th->th_seq); } in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport, } - cmd, notify); } + cmd, notify, tcp_sequence); } } else } - in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify); } + in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify, 0); } } } } #ifdef INET6 } @@ -1070,6 +1092,30 @@ } #endif /* INET6 */ } } /* } + * Check if the supplied TCP sequence number is a sequence number } + * for a sent but unacknowledged packet on the given TCP session. } + */ } +int } +tcp_seq_vs_sess(inp, tcp_sequence) } + struct inpcb *inp; } + tcp_seq tcp_sequence; } +{ } + struct tcpcb *tp = intotcpcb(inp); } + /* } + * If the sequence number is less than that of the last } + * unacknowledged packet, or greater than that of the } + * last sent, the given sequence number is not that } + * of a sent but unacknowledged packet for this session. } + */ } + if (SEQ_LT(tcp_sequence, tp->snd_una) || } + SEQ_GT(tcp_sequence, tp->snd_max)) { } + return(0); } + } else { } + return(1); } + } } +} } + } +/* } * When a source quench is received, close congestion window } * to one segment. We will gradually open it again as we proceed. } */ } @@ -1086,7 +1132,9 @@ } } /* } * When a ICMP unreachable is recieved, drop the } - * TCP connection, but only if in SYN_SENT } + * TCP connection, depending on the sysctl } + * icmp_like_rst_syn_sent_only, it only drops } + * the session if it's in SYN-SENT state } */ } void } tcp_drop_syn_sent(inp, errno) } @@ -1094,8 +1142,9 @@ } int errno; } { } struct tcpcb *tp = intotcpcb(inp); } - if((tp) && (tp->t_state == TCPS_SYN_SENT)) } - tcp_drop(tp, errno); } + if((tp) && ((icmp_like_rst_syn_sent_only == 0) || } + (tp->t_state == TCPS_SYN_SENT))) } + tcp_drop(tp, errno); } } } } /* } diff -ru sys/netinet.old/tcp_var.h sys/netinet/tcp_var.h } --- sys/netinet.old/tcp_var.h Sun Dec 17 18:57:24 2000 } +++ sys/netinet/tcp_var.h Tue Dec 19 20:16:54 2000 } @@ -392,6 +392,7 @@ } struct tcpcb * } tcp_newtcpcb __P((struct inpcb *)); } int tcp_output __P((struct tcpcb *)); } +int tcp_seq_vs_sess __P((struct inpcb *, tcp_seq)); } void tcp_quench __P((struct inpcb *, int)); } void tcp_respond __P((struct tcpcb *, void *, } struct tcphdr *, struct mbuf *, tcp_seq, tcp_seq, int)); } diff -ru sys/netinet.old/udp_usrreq.c sys/netinet/udp_usrreq.c } --- sys/netinet.old/udp_usrreq.c Sun Dec 17 18:57:24 2000 } +++ sys/netinet/udp_usrreq.c Sun Dec 17 19:59:53 2000 } @@ -512,9 +512,9 @@ } if (ip) { } uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); } in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport, } - cmd, udp_notify); } + cmd, udp_notify, 0); } } else } - in_pcbnotify(&udb, sa, 0, zeroin_addr, 0, cmd, udp_notify); } + in_pcbnotify(&udb, sa, 0, zeroin_addr, 0, cmd, udp_notify, 0); } } } } static int } } --17pEHd4RhPHOinZp-- } } } To Unsubscribe: send mail to majordomo@FreeBSD.org } with "unsubscribe freebsd-net" in the body of the message }-- End of excerpt from Jesper Skriver To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 3:24:27 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 03:24:22 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from nwcst330.netaddress.usa.net (nwcst330.netaddress.usa.net [204.68.23.75]) by hub.freebsd.org (Postfix) with SMTP id D77DD37B404 for ; Wed, 20 Dec 2000 03:24:18 -0800 (PST) Received: (qmail 27367 invoked by uid 60001); 20 Dec 2000 11:24:16 -0000 Message-ID: <20001220112416.27366.qmail@nwcst330.netaddress.usa.net> Received: from 204.68.23.75 by nwcst330 for [213.226.6.17] via web-mailer(34FM.0700.4B.01) on Wed Dec 20 11:24:16 GMT 2000 Date: 20 Dec 00 04:24:16 MST From: John Smith To: freebsd-net@freebsd.org Subject: New netgraph features? Cc: freebsd-hackers@freebsd.org X-Mailer: USANET web-mailer (34FM.0700.4B.01) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Recently while I was playing with netgraph code I noted some interesting comments about 'tracing' netgraph packets and the ability to connect nodes located on different machines. I would like to ask if somebody is working on such a code and if it would be worth writing it. Any additional comments and ideas are also welcome. BR: John ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 3:41: 5 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 03:41:02 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from peorth.iteration.net (peorth.iteration.net [208.190.180.178]) by hub.freebsd.org (Postfix) with ESMTP id 76BD637B400; Wed, 20 Dec 2000 03:41:00 -0800 (PST) Received: by peorth.iteration.net (Postfix, from userid 1001) id 64FE757382; Wed, 20 Dec 2000 05:41:01 -0600 (CST) Date: Wed, 20 Dec 2000 05:41:01 -0600 From: "Michael C . Wu" To: jkoshy@FreeBSD.org Cc: freebsd-net@FreeBSD.org, jkh@FreeBSD.org, freebsd-advocacy@FreeBSD.org Subject: Re: IPv6 status in FreeBSD Message-ID: <20001220054101.A20476@peorth.iteration.net> Reply-To: "Michael C . Wu" Mail-Followup-To: "Michael C . Wu" , jkoshy@FreeBSD.org, freebsd-net@FreeBSD.org, jkh@FreeBSD.org, freebsd-advocacy@FreeBSD.org References: <200012200954.eBK9sdF96403@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012200954.eBK9sdF96403@freefall.freebsd.org>; from jkoshy@FreeBSD.org on Wed, Dec 20, 2000 at 01:54:39AM -0800 X-PGP-Fingerprint: 5025 F691 F943 8128 48A8 5025 77CE 29C5 8FA1 2E20 X-PGP-Key-ID: 0x8FA12E20 Sender: keichii@peorth.iteration.net Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 20, 2000 at 01:54:39AM -0800, jkoshy@FreeBSD.org scribbled: | committer living in the vicinity, I'm considering doing some advocacy and | talking about our V6 capability in the 4-STABLE and 5-CURRENT branches. | | If you have information (URLs, docs, earlier presentations, ...) that | I could look at and borrow from, then these will be much appreciated. | | The URL for the conference: http://ipv6.india.hp.com/summit/index.htm itojun has quite a few on his website. -- +------------------------------------------------------------------+ | keichii@peorth.iteration.net | keichii@bsdconspiracy.net | | http://peorth.iteration.net/~keichii | Yes, BSD is a conspiracy. | +------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 4:13:40 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 04:13:37 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id 64EFA37B400; Wed, 20 Dec 2000 04:13:36 -0800 (PST) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W/smtpfeed 1.06) with ESMTP id VAA10086; Wed, 20 Dec 2000 21:13:33 +0900 (JST) To: "Michael C . Wu" Cc: jkoshy@FreeBSD.org, freebsd-net@FreeBSD.org, jkh@FreeBSD.org, freebsd-advocacy@FreeBSD.org In-reply-to: keichii's message of Wed, 20 Dec 2000 05:41:01 CST. <20001220054101.A20476@peorth.iteration.net> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: IPv6 status in FreeBSD From: itojun@iijlab.net Date: Wed, 20 Dec 2000 21:13:33 +0900 Message-ID: <10084.977314413@coconut.itojun.org> Sender: itojun@itojun.org Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >| committer living in the vicinity, I'm considering doing some advocacy and >| talking about our V6 capability in the 4-STABLE and 5-CURRENT branches. >| If you have information (URLs, docs, earlier presentations, ...) that >| I could look at and borrow from, then these will be much appreciated. >| The URL for the conference: http://ipv6.india.hp.com/summit/index.htm >itojun has quite a few on his website. check the following URLs. http://www.kame.net/ http://www.tahi.org/ conformance test results http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION design notes, support list http://www.kame.net/dev/cvsweb.cgi/kame/COVERAGE detailed list of functionality differences/merge status between *BSD itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 6:39:57 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 06:39:51 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 5BB9237B402; Wed, 20 Dec 2000 06:39:50 -0800 (PST) Received: from nairobi-27.budapest.interware.hu ([195.70.50.219] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 148kP9-0000U6-00; Wed, 20 Dec 2000 15:39:43 +0100 Sender: julian@FreeBSD.ORG Message-ID: <3A40BA95.F64C95C3@elischer.org> Date: Wed, 20 Dec 2000 05:56:37 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: John Smith Cc: freebsd-net@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: New netgraph features? References: <20001220112416.27366.qmail@nwcst330.netaddress.usa.net> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Smith wrote: > > Hello, > > Recently while I was playing with netgraph code > I noted some interesting comments about 'tracing' > netgraph packets and the ability to connect nodes > located on different machines. I would like to ask > if somebody is working on such a code and if it > would be worth writing it. Any additional comments > and ideas are also welcome. If you are playing with it, you may want to let me know your thoughts.. I know many people are using it for this-and-that but we get very little feedback. I'm presently rewriting a large part of netgraph to make is suitable for running under SMP without the BGL.. (e.g fine grain locking) so I'm interested in wha people think in general, and specifically what the liked and didn't like. Lastly, if you have used netraph, make sure that you have a look at the man page for the -current version to see what ha s been changing. looking at the extra argumants on the prototypes in /sys/netgraph/netgraph.h will show you where to look for changes inthe source too. (in particular tha ability to route messages for flow control has been a large change). As to your specific questions, these were vague ideas of things that we though were proctical but didn't have time to do. nodes on differnt machines could be connected by using a udp ksocket node as a tunnel. Tracing is simply the ability to add a flag to a metadata object, and adding code to the data delivery function (ng_send_data()) to somehow emit trace information whnever the metadata it is moving has that flag set. The latter would be very easy to do. (but what logging mechanism would you use, and how would you set the bits?) > > BR: John > > ____________________________________________________________________ > Get free email and a permanent address at http://www.netaddress.com/?N=1 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 6:51:25 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 06:51:20 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id A273A37B69D; Wed, 20 Dec 2000 06:51:19 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 75EFE3E4A; Wed, 20 Dec 2000 15:51:18 +0100 (CET) Date: Wed, 20 Dec 2000 15:51:18 +0100 From: Jesper Skriver To: Don Lewis Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001220155118.N81814@skriver.dk> References: <20001218182600.C1856@skriver.dk> <20001219222730.A29741@skriver.dk> <200012201046.CAA19456@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012201046.CAA19456@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Wed, Dec 20, 2000 at 02:46:21AM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 20, 2000 at 02:46:21AM -0800, Don Lewis wrote: > } It has the following functionality. > } > } - If the sysctl net.inet.tcp.icmp_admin_prohib_like_rst == 1 (default) > } it enables the below. > } - When a ICMP administrative prohibited is recieved, it check is the > } IP header attached to the ICMP packet has any options set, if it has > } it ignores it. The reason for this is, if any options is set the extra > } 8 bytes is no longer the first 8 bytes from the TCP header, source/ > } destination ports and sequence number, which we need to find the > } right TCP session. > > According to Stevens, we should get the first 8 bytes of the TCP header > even if there are options on the ICMP packet. We would have to be > careful to do sanity checking in this case, as well as guard against > unaligned accesses to the TCP header data. I'll read more on this, for now I think it's a improvement to ignore all packets with IP options, then we can improve it later by handling packets with options too. > } @@ -714,6 +715,15 @@ > } (lport && inp->inp_lport != lport) || > } (laddr.s_addr && inp->inp_laddr.s_addr != laddr.s_addr) || > } (fport && inp->inp_fport != fport)) { > } + inp = inp->inp_list.le_next; > } + continue; > > Wouldn't it be more cleaner (gets rid of the loop) and more efficient (if > we're getting blasted with ICMP messages) to use in_pcblookup_hash()? I didn't change the loop, but I'll have a look at this code, to see if we can improve it, but again, to get moving, I'd like to commit this, and leave this for a later improvement, ok ? > } + } > } + /* > } + * If tcp_sequence is set, then skip sessions where > } + * the sequence number is not one of a unacknowledged > } + * packet. > } + */ > } + if ((tcp_sequence) && (tcp_seq_vs_sess(inp, tcp_sequence) == 0)) { > } inp = inp->inp_list.le_next; > } continue; > > We should pass in an extra flag to indicate if tcp_sequence is valid, since > it can legally be zero. Ack, will do. > We should also bail out if the sequence check fails, > since it isn't possible for there to be another connection with the same > src/srcport/dst/dstport, so there is no sense in continuing the search. That is was we do right ? First we check if src/dst ip address and port numbers match, if not we bail out, so if we reach the above check we know these match, then we check for tcp sequence number, if this doesn't match we bail out. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 8:19:17 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 08:19:11 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from nwcst288.netaddress.usa.net (nwcst288.netaddress.usa.net [204.68.23.33]) by hub.freebsd.org (Postfix) with SMTP id BC90937B402 for ; Wed, 20 Dec 2000 08:19:08 -0800 (PST) Received: (qmail 3867 invoked by uid 60001); 20 Dec 2000 16:19:08 -0000 Message-ID: <20001220161908.3866.qmail@nwcst288.netaddress.usa.net> Received: from 204.68.23.33 by nwcst288 for [213.226.6.17] via web-mailer(34FM.0700.4B.01) on Wed Dec 20 16:19:08 GMT 2000 Date: 20 Dec 00 09:19:08 MST From: John Smith To: freebsd-net@freebsd.org Subject: Re: New netgraph features? Cc: freebsd-hackers@freebsd.org X-Mailer: USANET web-mailer (34FM.0700.4B.01) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Julian Elischer wrote: >John Smith wrote: >> = >> Hello, >> = >> Recently while I was playing with netgraph code >> I noted some interesting comments about 'tracing' >> netgraph packets and the ability to connect nodes >> located on different machines. I would like to ask >> if somebody is working on such a code and if it >> would be worth writing it. Any additional comments >> and ideas are also welcome. > >If you are playing with it, you may want to let me know your thoughts.. >I know many people are using it for this-and-that but we get >very little feedback. Well, I'm not a network administrator, so I haven't used netgraph for real services. In general, I like the idea, because I haven't seen yet a 'network problem' which I can't solve using netgraph. Well, many times my solution requires some code to be written, but... this is why I use FreeBSD - I can always do what I want to. :) In this case, netgraph helps a lot, because it already has some nodes and because it has a mechanism for easily implementing new nodes. One has enough power to solve his particular needs and there are few posibilities for 'design limitations'. > >I'm presently rewriting a large part of netgraph to make is suitable for= >running under SMP without the BGL.. (e.g fine grain locking) >so I'm interested in wha people think in general, and >specifically what the liked and didn't like. >Lastly, if you have used netraph, make sure that you have a look at the = >man page for the -current version to see what ha s been changing. > I'm currently running -current... so this is the only code/doc I'm = looking at. >looking at the extra argumants on the prototypes = >in /sys/netgraph/netgraph.h will show you where to look >for changes inthe source too. > >(in particular tha ability to route messages for flow control has = >been a large change). > > >As to your specific questions, these were vague ideas of things that we = >though were proctical but didn't have time to do. > >nodes on differnt machines could be connected by using a udp ksocket >node as a tunnel. = Well, may be I didn't said exactly what I wanted to. If we use say, ksocket nodes as a tunnel, we will transfer the data - ok, but what about metadata? May be I should say 'to connect two netgraphs'? May be this is a lost cause, but that's why I'm asking. >Tracing is simply the ability to add a flag to = >a metadata object, and adding code to the data delivery function >(ng_send_data()) to somehow emit trace information whnever the metadata >it is moving has that flag set. > >The latter would be very easy to do. (but what logging mechanism = >would you use, and how would you set the bits?) Well, probably there are several ways to do this - not quite sure. At this point I'm just asking for some feedback :) ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 9:56:54 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 09:56:40 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 5599737B400; Wed, 20 Dec 2000 09:56:39 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 22EF53E49; Wed, 20 Dec 2000 18:56:38 +0100 (CET) Date: Wed, 20 Dec 2000 18:56:38 +0100 From: Jesper Skriver To: Don Lewis Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001220185638.A64470@skriver.dk> References: <20001218182600.C1856@skriver.dk> <20001219222730.A29741@skriver.dk> <200012201046.CAA19456@salsa.gv.tsc.tdk.com> <20001220155118.N81814@skriver.dk> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001220155118.N81814@skriver.dk>; from jesper@skriver.dk on Wed, Dec 20, 2000 at 03:51:18PM +0100 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Dec 20, 2000 at 03:51:18PM +0100, Jesper Skriver wrote: > On Wed, Dec 20, 2000 at 02:46:21AM -0800, Don Lewis wrote: > > } + /* > > } + * If tcp_sequence is set, then skip sessions where > > } + * the sequence number is not one of a unacknowledged > > } + * packet. > > } + */ > > } + if ((tcp_sequence) && (tcp_seq_vs_sess(inp, tcp_sequence) == 0)) { > > } inp = inp->inp_list.le_next; > > } continue; > > > > We should pass in an extra flag to indicate if tcp_sequence is valid, since > > it can legally be zero. > > Ack, will do. Attached new diff (relative to -current) with this fix. I think this should be committed, afterwards I'll look at the suggestions for improvements. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="tcp_drop_icmp_unreach3.diff" diff -ru src/sys/netinet.old/in_pcb.c src/sys/netinet/in_pcb.c --- src/sys/netinet.old/in_pcb.c Sun Dec 17 18:57:24 2000 +++ src/sys/netinet/in_pcb.c Wed Dec 20 18:28:35 2000 @@ -665,15 +665,20 @@ * cmds that are uninteresting (e.g., no error in the map). * Call the protocol specific routine (if any) to report * any errors for each matching socket. + * + * If tcp_seq_check != 0 it also checks if tcp_sequence is + * a valid TCP sequence number for the session. */ void -in_pcbnotify(head, dst, fport_arg, laddr, lport_arg, cmd, notify) +in_pcbnotify(head, dst, fport_arg, laddr, lport_arg, cmd, notify, tcp_sequence, tcp_seq_check) struct inpcbhead *head; struct sockaddr *dst; u_int fport_arg, lport_arg; struct in_addr laddr; int cmd; void (*notify) __P((struct inpcb *, int)); + u_int32_t tcp_sequence; + int tcp_seq_check; { register struct inpcb *inp, *oinp; struct in_addr faddr; @@ -714,6 +719,15 @@ (lport && inp->inp_lport != lport) || (laddr.s_addr && inp->inp_laddr.s_addr != laddr.s_addr) || (fport && inp->inp_fport != fport)) { + inp = inp->inp_list.le_next; + continue; + } + /* + * If tcp_seq_check is set, then skip sessions where + * the sequence number is not one of a unacknowledged + * packet. + */ + if ((tcp_seq_check == 1) && (tcp_seq_vs_sess(inp, tcp_sequence) == 0)) { inp = inp->inp_list.le_next; continue; } diff -ru src/sys/netinet.old/in_pcb.h src/sys/netinet/in_pcb.h --- src/sys/netinet.old/in_pcb.h Sun Dec 17 18:57:24 2000 +++ src/sys/netinet/in_pcb.h Wed Dec 20 17:33:34 2000 @@ -290,7 +290,8 @@ struct in_addr, u_int, struct in_addr, u_int, int, struct ifnet *)); void in_pcbnotify __P((struct inpcbhead *, struct sockaddr *, - u_int, struct in_addr, u_int, int, void (*)(struct inpcb *, int))); + u_int, struct in_addr, u_int, int, void (*)(struct inpcb *, int), + u_int32_t, int)); void in_pcbrehash __P((struct inpcb *)); int in_setpeeraddr __P((struct socket *so, struct sockaddr **nam)); int in_setsockaddr __P((struct socket *so, struct sockaddr **nam)); diff -ru src/sys/netinet.old/tcp_subr.c src/sys/netinet/tcp_subr.c --- src/sys/netinet.old/tcp_subr.c Sun Dec 17 18:57:24 2000 +++ src/sys/netinet/tcp_subr.c Wed Dec 20 18:34:36 2000 @@ -139,9 +139,20 @@ * as required by rfc1122 section 3.2.2.1 */ -static int icmp_admin_prohib_like_rst = 0; +static int icmp_admin_prohib_like_rst = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_admin_prohib_like_rst, CTLFLAG_RW, - &icmp_admin_prohib_like_rst, 0, "Treat ICMP administratively prohibited messages like TCP RST, rfc1122 section 3.2.2.1"); + &icmp_admin_prohib_like_rst, 0, + "Treat ICMP administratively prohibited messages like TCP RST, rfc1122 section 3.2.2.1"); + +/* + * When icmp_admin_prohib_like_rst is enabled, only act on + * sessions in SYN-SENT state + */ + +static int icmp_like_rst_syn_sent_only = 1; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_like_rst_syn_sent_only, CTLFLAG_RW, + &icmp_like_rst_syn_sent_only, 0, + "When icmp_admin_prohib_like_rst is enabled, only act on sessions in SYN-SENT state"); static void tcp_cleartaocache __P((void)); static void tcp_notify __P((struct inpcb *, int)); @@ -967,12 +978,23 @@ register struct ip *ip = vip; register struct tcphdr *th; void (*notify) __P((struct inpcb *, int)) = tcp_notify; + tcp_seq tcp_sequence = 0; + int tcp_seq_check = 0; if (cmd == PRC_QUENCH) notify = tcp_quench; - else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && (ip)) + else if ((icmp_admin_prohib_like_rst == 1) && (cmd == PRC_UNREACH_PORT) && + (ip) && ((IP_VHL_HL(ip->ip_vhl) << 2) == sizeof(struct ip))) { + /* + * Only go here if the length of the IP header in the ICMP packet + * is 20 bytes, that is it doesn't have options, if it does have + * options, we will not have the first 8 bytes of the TCP header, + * and thus we cannot match against TCP source/destination port + * numbers and TCP sequence number. + */ + tcp_seq_check = 1; notify = tcp_drop_syn_sent; - else if (cmd == PRC_MSGSIZE) + } else if (cmd == PRC_MSGSIZE) notify = tcp_mtudisc; else if (!PRC_IS_REDIRECT(cmd) && ((unsigned)cmd > PRC_NCMDS || inetctlerrmap[cmd] == 0)) @@ -980,10 +1002,12 @@ if (ip) { th = (struct tcphdr *)((caddr_t)ip + (IP_VHL_HL(ip->ip_vhl) << 2)); + if (tcp_seq_check == 1) + tcp_sequence = ntohl(th->th_seq); in_pcbnotify(&tcb, sa, th->th_dport, ip->ip_src, th->th_sport, - cmd, notify); + cmd, notify, tcp_sequence, tcp_seq_check); } else - in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify); + in_pcbnotify(&tcb, sa, 0, zeroin_addr, 0, cmd, notify, 0, 0); } #ifdef INET6 @@ -1070,6 +1094,30 @@ #endif /* INET6 */ /* + * Check if the supplied TCP sequence number is a sequence number + * for a sent but unacknowledged packet on the given TCP session. + */ +int +tcp_seq_vs_sess(inp, tcp_sequence) + struct inpcb *inp; + tcp_seq tcp_sequence; +{ + struct tcpcb *tp = intotcpcb(inp); + /* + * If the sequence number is less than that of the last + * unacknowledged packet, or greater than that of the + * last sent, the given sequence number is not that + * of a sent but unacknowledged packet for this session. + */ + if (SEQ_LT(tcp_sequence, tp->snd_una) || + SEQ_GT(tcp_sequence, tp->snd_max)) { + return(0); + } else { + return(1); + } +} + +/* * When a source quench is received, close congestion window * to one segment. We will gradually open it again as we proceed. */ @@ -1086,7 +1134,9 @@ /* * When a ICMP unreachable is recieved, drop the - * TCP connection, but only if in SYN_SENT + * TCP connection, depending on the sysctl + * icmp_like_rst_syn_sent_only, it only drops + * the session if it's in SYN-SENT state */ void tcp_drop_syn_sent(inp, errno) @@ -1094,8 +1144,9 @@ int errno; { struct tcpcb *tp = intotcpcb(inp); - if((tp) && (tp->t_state == TCPS_SYN_SENT)) - tcp_drop(tp, errno); + if((tp) && ((icmp_like_rst_syn_sent_only == 0) || + (tp->t_state == TCPS_SYN_SENT))) + tcp_drop(tp, errno); } /* diff -ru src/sys/netinet.old/tcp_var.h src/sys/netinet/tcp_var.h --- src/sys/netinet.old/tcp_var.h Sun Dec 17 18:57:24 2000 +++ src/sys/netinet/tcp_var.h Tue Dec 19 20:16:54 2000 @@ -392,6 +392,7 @@ struct tcpcb * tcp_newtcpcb __P((struct inpcb *)); int tcp_output __P((struct tcpcb *)); +int tcp_seq_vs_sess __P((struct inpcb *, tcp_seq)); void tcp_quench __P((struct inpcb *, int)); void tcp_respond __P((struct tcpcb *, void *, struct tcphdr *, struct mbuf *, tcp_seq, tcp_seq, int)); diff -ru src/sys/netinet.old/udp_usrreq.c src/sys/netinet/udp_usrreq.c --- src/sys/netinet.old/udp_usrreq.c Sun Dec 17 18:57:24 2000 +++ src/sys/netinet/udp_usrreq.c Wed Dec 20 17:33:00 2000 @@ -512,9 +512,9 @@ if (ip) { uh = (struct udphdr *)((caddr_t)ip + (ip->ip_hl << 2)); in_pcbnotify(&udb, sa, uh->uh_dport, ip->ip_src, uh->uh_sport, - cmd, udp_notify); + cmd, udp_notify, 0, 0); } else - in_pcbnotify(&udb, sa, 0, zeroin_addr, 0, cmd, udp_notify); + in_pcbnotify(&udb, sa, 0, zeroin_addr, 0, cmd, udp_notify, 0, 0); } static int --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 13:44:31 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 13:44:28 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from rigel.cs.pdx.edu (rigel.cs.pdx.edu [131.252.208.59]) by hub.freebsd.org (Postfix) with ESMTP id 22D6E37B400 for ; Wed, 20 Dec 2000 13:44:28 -0800 (PST) Received: from pollux.cs.pdx.edu (harkirat@pollux.cs.pdx.edu [131.252.223.76]) by rigel.cs.pdx.edu (8.9.1/8.9.1) with ESMTP id NAA18336; Wed, 20 Dec 2000 13:44:27 -0800 (PST) Received: from localhost (harkirat@localhost) by pollux.cs.pdx.edu (8.8.6/8.8.5) with ESMTP id NAA24117; Wed, 20 Dec 2000 13:44:26 -0800 (PST) X-Authentication-Warning: pollux.cs.pdx.edu: harkirat owned process doing -bs Date: Wed, 20 Dec 2000 13:44:26 -0800 (PST) From: Harkitrat Singh To: "Orville R. Weyrich.Jr" Cc: freebsd-net@FreeBSD.ORG Subject: Wavelan In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! While loading I gave the static address and I solved this problem by reloading the FreeBsd once again with DHCP option. I have one WaveLan card I want to know how can I configure it? Thanks, Harkirat On Tue, 19 Dec 2000, Orville R. Weyrich.Jr wrote: > Do you have to set a default route to a gateway server? Ask your network > administrator (or check the configuration of a buddy's machine). > > On Tue, 19 Dec 2000, Harkitrat Singh wrote: > > > > > Hi! > > > > I have a tiny laptop, Libretto100CT, I downloaded freeBsd (4.2)on it and > > from my home it was working fine. I brought it to school and now it is not > > able to connect to network. I changed the nameserver IP. If I do ping with > > IP address then I get error "host route not found". In case I use the name > > then I get "Host name lookup failure". Ping to localhost is working fine. > > > > Please give me some suggestions. > > > > -Harkirat > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > =================================================================== > IF YOU WANT REFORM >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> VOTE REFORM > ------------------------------------------------------------------- > Orville R. Weyrich, Jr. Weyrich Computer Consulting > mailto:orville@weyrich.com KD7HJV http://www.weyrich.com > ------------------------------------------------------------------- > Visit our online collection of book reviews: > > http://www.weyrich.com/book_reviews/ > > Ask about our world wide web services! > ------------------------------------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 15:54:36 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 15:54:33 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from ebola.biohz.net (ebola.biohz.net [206.80.1.35]) by hub.freebsd.org (Postfix) with ESMTP id 2466237B400 for ; Wed, 20 Dec 2000 15:54:33 -0800 (PST) Received: from flu (localhost [127.0.0.1]) by ebola.biohz.net (Postfix) with SMTP id 93E633A3FC; Wed, 20 Dec 2000 15:54:32 -0800 (PST) Message-ID: <000d01c06ae0$32f7e7e0$0402010a@biohz.net> From: "Renaud Waldura" To: "Harkitrat Singh" Cc: References: Subject: Re: Wavelan Date: Wed, 20 Dec 2000 15:54:32 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This should tell everything you need to know: http://www.live.com/wireless/unix-base-station.html ----- Original Message ----- From: "Harkitrat Singh" To: "Orville R. Weyrich.Jr" Cc: Sent: Wednesday, December 20, 2000 1:44 PM Subject: Wavelan > > Hi! > > While loading I gave the static address and I solved this problem by > reloading the FreeBsd once again with DHCP option. I have one WaveLan card > I want to know how can I configure it? > > Thanks, > > Harkirat > > > On Tue, 19 Dec 2000, Orville R. Weyrich.Jr wrote: > > > Do you have to set a default route to a gateway server? Ask your network > > administrator (or check the configuration of a buddy's machine). > > > > On Tue, 19 Dec 2000, Harkitrat Singh wrote: > > > > > > > > Hi! > > > > > > I have a tiny laptop, Libretto100CT, I downloaded freeBsd (4.2)on it and > > > from my home it was working fine. I brought it to school and now it is not > > > able to connect to network. I changed the nameserver IP. If I do ping with > > > IP address then I get error "host route not found". In case I use the name > > > then I get "Host name lookup failure". Ping to localhost is working fine. > > > > > > Please give me some suggestions. > > > > > > -Harkirat > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > =================================================================== > > IF YOU WANT REFORM >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> VOTE REFORM > > ------------------------------------------------------------------- > > Orville R. Weyrich, Jr. Weyrich Computer Consulting > > mailto:orville@weyrich.com KD7HJV http://www.weyrich.com > > ------------------------------------------------------------------- > > Visit our online collection of book reviews: > > > > http://www.weyrich.com/book_reviews/ > > > > Ask about our world wide web services! > > ------------------------------------------------------------------- > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 19:31:18 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 19:31:16 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from rigel.cs.pdx.edu (rigel.cs.pdx.edu [131.252.208.59]) by hub.freebsd.org (Postfix) with ESMTP id 8414737B400 for ; Wed, 20 Dec 2000 19:31:12 -0800 (PST) Received: from pollux.cs.pdx.edu (harkirat@pollux.cs.pdx.edu [131.252.223.76]) by rigel.cs.pdx.edu (8.9.1/8.9.1) with ESMTP id TAA26580 for ; Wed, 20 Dec 2000 19:31:12 -0800 (PST) Received: from localhost (harkirat@localhost) by pollux.cs.pdx.edu (8.8.6/8.8.5) with ESMTP id TAA24629 for ; Wed, 20 Dec 2000 19:31:11 -0800 (PST) X-Authentication-Warning: pollux.cs.pdx.edu: harkirat owned process doing -bs Date: Wed, 20 Dec 2000 19:31:11 -0800 (PST) From: Harkitrat Singh To: freebsd-net@FreeBSD.ORG Subject: WaveLan Driver - silver Turbo 11Mb In-Reply-To: <000d01c06ae0$32f7e7e0$0402010a@biohz.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I have a tiny laptop (without CD-ROM), I got installed FreeBad-4.2 release. It's working and I am very happy. Now I want to install driver for Wavelan card (turbo 11Mb), does anyone know about the ftp site for driver as I guess that this the only way I can get it down loaded . I do not know how to start Xsession that's why I am not able to use browser also (though this is not my priority, I will learn it with time). Any suggestions are appreciated. Thanks, harkirat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 20:35:51 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 20:35:48 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from rigel.cs.pdx.edu (rigel.cs.pdx.edu [131.252.208.59]) by hub.freebsd.org (Postfix) with ESMTP id 8BC3537B402 for ; Wed, 20 Dec 2000 20:35:47 -0800 (PST) Received: from pollux.cs.pdx.edu (harkirat@pollux.cs.pdx.edu [131.252.223.76]) by rigel.cs.pdx.edu (8.9.1/8.9.1) with ESMTP id UAA27930 for ; Wed, 20 Dec 2000 20:35:47 -0800 (PST) Received: from localhost (harkirat@localhost) by pollux.cs.pdx.edu (8.8.6/8.8.5) with ESMTP id UAA24731 for ; Wed, 20 Dec 2000 20:35:46 -0800 (PST) X-Authentication-Warning: pollux.cs.pdx.edu: harkirat owned process doing -bs Date: Wed, 20 Dec 2000 20:35:46 -0800 (PST) From: Harkitrat Singh To: freebsd-net@FreeBSD.ORG Subject: problem run fsck manual In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When I was happy that my FreeBSD is running well I faced this problem, I shut down my laptop with following command # /sbin /shutdown -h now and after that I switched off the power and then I wanted to power it on once again and this time I got error that "THE FOLLOWING FILE SYSTEM HAD AN UNEXPECTED INCOnSISTENCY: /dev/ad0s1f (/usr) Automatic file system check fail and run fsck maually.. I tried with fsck -p fsck -y / /usr /var and after that(second fsck command) I got segmentation fault, now I do not know what should I do. I do not have any partion, Please also suggest me how can I avoid this in the future. Bye, Harkirat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 20 21:46:36 2000 From owner-freebsd-net@FreeBSD.ORG Wed Dec 20 21:46:35 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mailhost.mlnet.net (ns5.mlnet.net [194.217.128.21]) by hub.freebsd.org (Postfix) with ESMTP id 692E337B400 for ; Wed, 20 Dec 2000 21:46:34 -0800 (PST) Received: (from postie@localhost) by mailhost.mlnet.net (8.8.8/8.8.8) id FAA00125; Thu, 21 Dec 2000 05:45:14 GMT Received: from serf.orion.mlnet.net(192.168.191.7) by mailhost.mlnet.net via smap (V1.3.ML.3) id sma000120; Thu Dec 21 05:44:39 2000 Message-ID: <3A4198BB.6E6E4C43@uk.com> Date: Thu, 21 Dec 2000 05:44:27 +0000 From: Matthew Reply-To: m@uk.com X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Harkitrat Singh Cc: freebsd-net@FreeBSD.ORG Subject: Re: problem run fsck manual References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try fsck -y /dev/ad0s1f -M Harkitrat Singh wrote: > > When I was happy that my FreeBSD is running well I faced this problem, I > shut down my laptop with following command > > # /sbin /shutdown -h now and after that I switched off the power and then > I wanted to power it on once again and this time I got error that > > "THE FOLLOWING FILE SYSTEM HAD AN UNEXPECTED INCOnSISTENCY: > /dev/ad0s1f (/usr) > Automatic file system check fail and run fsck maually.. > > I tried with fsck -p > fsck -y / /usr /var > > and after that(second fsck command) I got segmentation fault, now I do not > know what should I do. I do not have any partion, Please also suggest me > how can I avoid this in the future. > > Bye, > > Harkirat > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 10:43:26 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 10:43:24 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from ebola.biohz.net (ebola.biohz.net [206.80.1.35]) by hub.freebsd.org (Postfix) with ESMTP id 214E937B400 for ; Thu, 21 Dec 2000 10:43:24 -0800 (PST) Received: from flu (localhost [127.0.0.1]) by ebola.biohz.net (Postfix) with SMTP id 836BC3A3FC; Thu, 21 Dec 2000 10:43:23 -0800 (PST) Message-ID: <008501c06b7d$e5d995a0$0402010a@biohz.net> From: "Renaud Waldura" To: "Harkitrat Singh" Cc: References: Subject: Re: WaveLan Driver - silver Turbo 11Mb Date: Thu, 21 Dec 2000 10:43:23 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Both the "wi" driver and the pccardd daemon, needed for Wavelan operation, are included in the base distribution. And this document tells you everything else you need to know: http://www.live.com/wireless/unix-base-station.html ----- Original Message ----- From: "Harkitrat Singh" To: Sent: Wednesday, December 20, 2000 7:31 PM Subject: WaveLan Driver - silver Turbo 11Mb > > Hi! > > I have a tiny laptop (without CD-ROM), I got installed FreeBad-4.2 > release. It's working and I am very happy. Now I want to install driver > for Wavelan card (turbo 11Mb), does anyone know about the ftp site for > driver as I guess that this the only way I can get it down loaded . I do > not know how to start Xsession that's why I am not able to use browser > also (though this is not my priority, I will learn it with time). > > Any suggestions are appreciated. > > Thanks, > > harkirat > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 12:28:36 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 12:28:35 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.andy.de (fw.andy.de [212.8.198.74]) by hub.freebsd.org (Postfix) with ESMTP id 13F9837B400 for ; Thu, 21 Dec 2000 12:28:34 -0800 (PST) Received: from windoze.andy.de (windoze.andy.de [212.8.199.4]) by mail.andy.de (Postfix) with ESMTP id 5148B7CEC2 for ; Thu, 21 Dec 2000 21:28:32 +0100 (CET) Date: Thu, 21 Dec 2000 21:28:57 +0100 From: Andreas Gerstenberg To: freebsd-net@freebsd.org Subject: GRE implementation? Message-ID: <2476561115.977434137@windoze.andy.de> X-Mailer: Mulberry/2.0.5 (Win32) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I just want to ask if there are plans to implement GRE encapsulation e.g. for setup tunnel interfaces with cisco routers? regards, Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 12:41:29 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 12:41:28 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id A42BB37B400 for ; Thu, 21 Dec 2000 12:41:27 -0800 (PST) Received: from pretoria-57.budapest.interware.hu ([195.70.53.121] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 149CWk-0000ce-00; Thu, 21 Dec 2000 21:41:26 +0100 Sender: julian@FreeBSD.ORG Message-ID: <3A426AC2.4CEAD5A7@elischer.org> Date: Thu, 21 Dec 2000 12:40:34 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Andreas Gerstenberg Cc: freebsd-net@freebsd.org Subject: Re: GRE implementation? References: <2476561115.977434137@windoze.andy.de> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andreas Gerstenberg wrote: > > Hi, > > I just want to ask if there are plans to implement GRE encapsulation e.g. for > setup tunnel interfaces with cisco routers? you mean like is implemented in the FreeBSD kernel? (in netgraph) > > regards, > Andy > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 12:47: 1 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 12:46:56 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 0E12837B400; Thu, 21 Dec 2000 12:46:56 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.1/8.11.1) id eBLKkfe87614; Thu, 21 Dec 2000 12:46:41 -0800 (PST) (envelope-from rizzo) From: Luigi Rizzo Message-Id: <200012212046.eBLKkfe87614@iguana.aciri.org> Subject: Re: GRE implementation? In-Reply-To: <2476561115.977434137@windoze.andy.de> from Andreas Gerstenberg at "Dec 21, 2000 9:28:57 pm" To: andy@andy.de (Andreas Gerstenberg) Date: Thu, 21 Dec 2000 12:46:41 -0800 (PST) Cc: freebsd-net@FreeBSD.ORG, itojun@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: rizzo@iguana.aciri.org Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi, > > I just want to ask if there are plans to implement GRE encapsulation e.g. for > setup tunnel interfaces with cisco routers? some time ago i hacked the "gif" interface to support GRE -- you need to set the 'link2' flag to enable GRE on that interface. It does not support checksums, but apparently our cisco does not seem to use them (by default at least). Patches for 4.1 are attached. They are rather simple and short, and i think they pretty much do the job (GRE is quite simple, anyways). Note though that itojun warned me that this code might conflict with future use of the link2 flag from the KAME project. He also suggested to implement GRE as a different "interface", though I am not sure it is worth the effort given the excellent infrastructure provided by the KAME people for the gif/faith etc. interfaces (which is the main reason why the attached diffs are so small). Actually if people have comments i would like to hear. cheers luigi Index: sys/net/if_gif.c =================================================================== RCS file: /home/iguana/u0/rizzo/ncvs/src/sys/net/if_gif.c,v retrieving revision 1.4.2.2 diff -u -r1.4.2.2 if_gif.c --- sys/net/if_gif.c 2000/07/20 00:45:07 1.4.2.2 +++ sys/net/if_gif.c 2000/10/31 01:26:57 @@ -121,14 +121,23 @@ gif = sc = malloc (ngif * sizeof(struct gif_softc), M_DEVBUF, M_WAIT); bzero(sc, ngif * sizeof(struct gif_softc)); for (i = 0; i < ngif; sc++, i++) { + void *gre_cookie = NULL ; + sc->gif_if.if_name = "gif"; sc->gif_if.if_unit = i; sc->encap_cookie4 = sc->encap_cookie6 = NULL; #ifdef INET + gre_cookie = encap_attach_func(AF_INET, IPPROTO_GRE, + gif_encapcheck, &in_gif_protosw, sc); + if (gre_cookie == NULL) + continue ; + sc->encap_cookie4 = encap_attach_func(AF_INET, -1, gif_encapcheck, &in_gif_protosw, sc); if (sc->encap_cookie4 == NULL) { + if (gre_cookie) + encap_detach(gre_cookie); printf("%s: attach failed\n", if_name(&sc->gif_if)); continue; } @@ -141,6 +150,8 @@ encap_detach(sc->encap_cookie4); sc->encap_cookie4 = NULL; } + if (gre_cookie) + encap_detach(gre_cookie); printf("%s: attach failed\n", if_name(&sc->gif_if)); continue; } @@ -189,6 +200,7 @@ switch (proto) { #ifdef INET case IPPROTO_IPV4: + case IPPROTO_GRE: break; #endif #ifdef INET6 Index: sys/netinet/in_gif.c =================================================================== RCS file: /home/iguana/u0/rizzo/ncvs/src/sys/netinet/in_gif.c,v retrieving revision 1.5.2.1 diff -u -r1.5.2.1 in_gif.c --- sys/netinet/in_gif.c 2000/07/15 07:14:30 1.5.2.1 +++ sys/netinet/in_gif.c 2000/10/31 04:02:06 @@ -99,6 +99,7 @@ struct ip iphdr; /* capsule IP header, host byte ordered */ int proto, error; u_int8_t tos; + int phl = sizeof(struct ip); /* prepend header length */ if (sin_src == NULL || sin_dst == NULL || sin_src->sin_family != AF_INET || @@ -114,6 +115,11 @@ struct ip *ip; proto = IPPROTO_IPV4; + if (ifp->if_flags & IFF_LINK2) {/* a GRE tunnel */ + printf("gif_output: GRE!\n"); + proto = IPPROTO_GRE; + phl = sizeof(struct ip) + 4 ; /* GRE header, no checksum */ + } if (m->m_len < sizeof(*ip)) { m = m_pullup(m, sizeof(*ip)); if (!m) @@ -177,19 +183,25 @@ iphdr.ip_p = proto; /* version will be set in ip_output() */ iphdr.ip_ttl = ip_gif_ttl; - iphdr.ip_len = m->m_pkthdr.len + sizeof(struct ip); + iphdr.ip_len = m->m_pkthdr.len + phl ; if (ifp->if_flags & IFF_LINK1) ip_ecn_ingress(ECN_ALLOWED, &iphdr.ip_tos, &tos); /* prepend new IP header */ - M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); - if (m && m->m_len < sizeof(struct ip)) - m = m_pullup(m, sizeof(struct ip)); + M_PREPEND(m, phl, M_DONTWAIT); + if (m && m->m_len < phl) + m = m_pullup(m, phl); if (m == NULL) { printf("ENOBUFS in in_gif_output %d\n", __LINE__); return ENOBUFS; } bcopy(&iphdr, mtod(m, struct ip *), sizeof(struct ip)); + if (proto == IPPROTO_GRE) { /* fill GRE header */ + u_int16_t *p ; + (void *)p = mtod(m, void *) + sizeof(struct ip); + p[0] = 0 ; + p[1] = htons(0x800 /* ETHERTYPE_IP */); + } if (dst->sin_family != sin_dst->sin_family || dst->sin_addr.s_addr != sin_dst->sin_addr.s_addr) { @@ -260,6 +272,14 @@ } otos = ip->ip_tos; + if (proto == IPPROTO_GRE) { + u_char *p = (u_char *)(ip) + off ; + printf("in_gif_input: GRE\n"); + off += 4 ; /* strip off GRE header */ + if (p[0] & 1) + off += 4 ; /* strip off checksum */ + proto = IPPROTO_IPV4 ; /* XXX hack! */ + } m_adj(m, off); switch (proto) { Index: sys/netinet/in_proto.c =================================================================== RCS file: /home/iguana/u0/rizzo/ncvs/src/sys/netinet/in_proto.c,v retrieving revision 1.53.2.1 diff -u -r1.53.2.1 in_proto.c --- sys/netinet/in_proto.c 2000/07/15 07:14:30 1.53.2.1 +++ sys/netinet/in_proto.c 2000/10/31 01:05:18 @@ -165,6 +165,12 @@ encap_init, 0, 0, 0, &nousrreqs }, +{ SOCK_RAW, &inetdomain, IPPROTO_GRE, PR_ATOMIC|PR_ADDR, + encap4_input, 0, 0, rip_ctloutput, + 0, + encap_init, 0, 0, 0, + &nousrreqs +}, # ifdef INET6 { SOCK_RAW, &inetdomain, IPPROTO_IPV6, PR_ATOMIC|PR_ADDR, encap4_input, 0, 0, rip_ctloutput, To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 13:17:41 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 13:17:39 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 01BF337B400 for ; Thu, 21 Dec 2000 13:17:39 -0800 (PST) Received: from pretoria-57.budapest.interware.hu ([195.70.53.121] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 149D5l-000423-00; Thu, 21 Dec 2000 22:17:37 +0100 Sender: julian@FreeBSD.ORG Message-ID: <3A42733D.1E09C2CB@elischer.org> Date: Thu, 21 Dec 2000 13:16:45 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Andreas Gerstenberg , freebsd-net@freebsd.org Subject: Re: GRE implementation? References: <2476561115.977434137@windoze.andy.de> <3A426AC2.4CEAD5A7@elischer.org> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Julian Elischer wrote: > > Andreas Gerstenberg wrote: > > > > Hi, > > > > I just want to ask if there are plans to implement GRE encapsulation e.g. for > > setup tunnel interfaces with cisco routers? > > you mean like is implemented in the FreeBSD kernel? Ignore that.. I was confused.. it's implemented but not as a separate module but as part of the pptp module. (having said that, it would be pretty simple to make a purely GRE module..) > > (in netgraph) > > > > > regards, > > Andy > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > -- > __--_|\ Julian Elischer > / \ julian@elischer.org > ( OZ ) World tour 2000 > ---> X_.---._/ presently in: Budapest > v > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 13:57:17 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 13:57:13 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id F0A9C37B400; Thu, 21 Dec 2000 13:57:12 -0800 (PST) Received: from curve.dellroad.org (curve.dellroad.org [10.1.1.30]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id NAA37433; Thu, 21 Dec 2000 13:57:11 -0800 (PST) Received: (from archie@localhost) by curve.dellroad.org (8.11.0/8.11.0) id eBLLvAU78207; Thu, 21 Dec 2000 13:57:10 -0800 (PST) (envelope-from archie) From: Archie Cobbs Message-Id: <200012212157.eBLLvAU78207@curve.dellroad.org> Subject: Re: New netgraph features? In-Reply-To: <20001220161908.3866.qmail@nwcst288.netaddress.usa.net> "from John Smith at Dec 20, 2000 09:19:08 am" To: John Smith Date: Thu, 21 Dec 2000 13:57:10 -0800 (PST) Cc: freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Smith writes: > Well, may be I didn't said exactly what I wanted to. > If we use say, ksocket nodes as a tunnel, we will > transfer the data - ok, but what about metadata? > May be I should say 'to connect two netgraphs'? > May be this is a lost cause, but that's why I'm asking. Yes, there would need to be some extra stuff. Here are some quick possibilities.. - We'd need to enhace the definition of a netgraph address to include, say, an IP address, eg.: $ ngctl msg 192.168.1.12:foo: blah blah - Encode control messsages in their ASCII forms for transit across the network - Pick a well known UDP port to be used for netgraph messages and data packets - Create a node type that could listen on this port (using ng_ksocket) and do the required encoding/decoding. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 15:37: 9 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 15:37:03 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id 8424637B400; Thu, 21 Dec 2000 15:37:02 -0800 (PST) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id PAA29267; Thu, 21 Dec 2000 15:36:54 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id PAA10256; Thu, 21 Dec 2000 15:36:53 -0800 (PST) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id PAA27025; Thu, 21 Dec 2000 15:36:52 -0800 (PST) From: Don Lewis Message-Id: <200012212336.PAA27025@salsa.gv.tsc.tdk.com> Date: Thu, 21 Dec 2000 15:36:52 -0800 In-Reply-To: <20001220155118.N81814@skriver.dk> References: <20001218182600.C1856@skriver.dk> <20001219222730.A29741@skriver.dk> <200012201046.CAA19456@salsa.gv.tsc.tdk.com> <20001220155118.N81814@skriver.dk> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Jesper Skriver , Don Lewis Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Sender: gdonl@tsc.tdk.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Dec 20, 3:51pm, Jesper Skriver wrote: } Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c } On Wed, Dec 20, 2000 at 02:46:21AM -0800, Don Lewis wrote: } } > } It has the following functionality. } > } } > } - If the sysctl net.inet.tcp.icmp_admin_prohib_like_rst == 1 (default) } > } it enables the below. } > } - When a ICMP administrative prohibited is recieved, it check is the } > } IP header attached to the ICMP packet has any options set, if it has } > } it ignores it. The reason for this is, if any options is set the extra } > } 8 bytes is no longer the first 8 bytes from the TCP header, source/ } > } destination ports and sequence number, which we need to find the } > } right TCP session. } > } > According to Stevens, we should get the first 8 bytes of the TCP header } > even if there are options on the ICMP packet. We would have to be } > careful to do sanity checking in this case, as well as guard against } > unaligned accesses to the TCP header data. } } I'll read more on this, for now I think it's a improvement to ignore all } packets with IP options, then we can improve it later by handling } packets with options too. I would expect the option-less case to be the most common, so it's ok to defer this. } > } @@ -714,6 +715,15 @@ } > } (lport && inp->inp_lport != lport) || } > } (laddr.s_addr && inp->inp_laddr.s_addr != laddr.s_addr) || } > } (fport && inp->inp_fport != fport)) { } > } + inp = inp->inp_list.le_next; } > } + continue; } > } > Wouldn't it be more cleaner (gets rid of the loop) and more efficient (if } > we're getting blasted with ICMP messages) to use in_pcblookup_hash()? } } I didn't change the loop, but I'll have a look at this code, to see if } we can improve it, but again, to get moving, I'd like to commit this, } and leave this for a later improvement, ok ? Sure. } > } + } } > } + /* } > } + * If tcp_sequence is set, then skip sessions where } > } + * the sequence number is not one of a unacknowledged } > } + * packet. } > } + */ } > } + if ((tcp_sequence) && (tcp_seq_vs_sess(inp, tcp_sequence) == 0)) { } > } inp = inp->inp_list.le_next; } > } continue; } > } > We should pass in an extra flag to indicate if tcp_sequence is valid, since } > it can legally be zero. } } Ack, will do. } } > We should also bail out if the sequence check fails, } > since it isn't possible for there to be another connection with the same } > src/srcport/dst/dstport, so there is no sense in continuing the search. } } That is was we do right ? } } First we check if src/dst ip address and port numbers match, if not we } bail out, so if we reach the above check we know these match, then we } check for tcp sequence number, if this doesn't match we bail out. If the src/dst addresses and port numbers don't match, we start the next iteration of the loop. If the sequence numbers don't match, we want to exit the loop. I believe the continue should be changed to a break. I'll pretty much be off the net until the new year, so I won't be able to perform any further reviews until then. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 17:48:57 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 17:48:55 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from rigel.cs.pdx.edu (rigel.cs.pdx.edu [131.252.208.59]) by hub.freebsd.org (Postfix) with ESMTP id EBD8937B400 for ; Thu, 21 Dec 2000 17:48:54 -0800 (PST) Received: from pollux.cs.pdx.edu (harkirat@pollux.cs.pdx.edu [131.252.223.76]) by rigel.cs.pdx.edu (8.9.1/8.9.1) with ESMTP id RAA01136 for ; Thu, 21 Dec 2000 17:48:54 -0800 (PST) Received: from localhost (harkirat@localhost) by pollux.cs.pdx.edu (8.8.6/8.8.5) with ESMTP id RAA28035 for ; Thu, 21 Dec 2000 17:48:53 -0800 (PST) X-Authentication-Warning: pollux.cs.pdx.edu: harkirat owned process doing -bs Date: Thu, 21 Dec 2000 17:48:53 -0800 (PST) From: Harkitrat Singh To: freebsd-net@FREEBSD.ORG Subject: problem with ifconfig Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I thought that it's not appropriate to post this message again in this New Group but I am in trouble that's why I am posting it here, I request for a reply, ....I have a laptop Libretto 100CT (does'nt have any CD-Rom) and I installed BSd release 4.2 and it was working fine and to power off I was using # /sbin/shutdown -h now and after that I manually switch off the power (though I do not know is it the right way to do it). Yesterday when I did this and after that I reboot the m/c then I got the message that file system is not clean and then I ran fsck manually and then i found that I do not know should I say yes or no to all these questions so I left it in between and then read some FAQ and found that I should run fsck -y /dev/ad01f (a friend advised me) as I got error with this file system only and I reboot the machine I did not do any thing after this command just reboot after the file system clean message. Now if I do ping it says that can'nt resolve and if I use IP adress then I get message that route not found. I am also getting some messages during boot time that some files are missing. Also on "ifconfig" I do not get ep0 means something with ethernet but I do not know how to fix it. Also if I run fsck -p I get message /dev/ad0s1a: NO WRITE ACCESS .dev/ad0s1a: UNEXPECTED INCONSISTENCY; RUN fsck manually. Please telll me that how can i avoid this to happen in the future and solve it right now. Do I have to reload the BSD. Thanks, Harkirat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 19: 2:22 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 19:02:15 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from cube.gelatinous.com (unknown [207.82.194.150]) by hub.freebsd.org (Postfix) with SMTP id BE41837B400 for ; Thu, 21 Dec 2000 19:02:15 -0800 (PST) Received: (qmail 6296 invoked by uid 1005); 22 Dec 2000 03:02:14 -0000 Date: 22 Dec 2000 03:02:14 -0000 Message-ID: <20001222030214.6295.qmail@cube.gelatinous.com> From: danh@gelatinous.com To: freebsd-net@freebsd.org Subject: mpd-netgraph question Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi i'm trying to get mpd-netgraph to work on a 4.1 machine my setup is simple, these machines live the internal interface on a 10.x.x.x net of this box is 10.0.0.3 | | V V ___________________ | | [bunch of win 2k clients] <-> [freebsd router/ natd ] <-> [the internet at large ] <---> [little windows box ] I am trying to let machines out on the internet connect to the same net as the bunch of win2k machines are on, pretty standard. i want the win 2k client connecting to think it is 10.0.0.110 here is my mpd.conf file: pptp: new -i ng0 pptp pptp set iface disable on-demand set iface enable proxy-arp set iface idle 1800 set bundle disable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 60 set ipcp yes vjcomp set ipcp ranges 10.0.0.110/32 10.0.0.110/32 set ipcp nbns 10.0.0.2 set bundle enable compression set ccp yes mppc here is my mpd.links file: pptp: set link type pptp # set pptp self 10.0.0.3 set pptp self xxx.xxx.xxx.xxx set pptp enable incoming set pptp disable originate --- when the windows client in the outside world tries to connect, the client gets the following error: Disconnected Error 619: The specified port is not connected. Any ideas what I'm doing wrong? thanks for any help. the relevant log in /var/log/mpd : Dec 21 18:50:18 china mpd: mpd: PPTP connection from 216.186.220.112:4100 Dec 21 18:50:18 china mpd: pptp0: attached to connection with 216.186.220.112:4100 Dec 21 18:50:20 china mpd: [pptp] IFACE: Open event Dec 21 18:50:20 china mpd: [pptp] IPCP: Open event Dec 21 18:50:20 china mpd: [pptp] IPCP: state change Initial --> Starting Dec 21 18:50:20 china mpd: [pptp] IPCP: LayerStart Dec 21 18:50:20 china mpd: [pptp] IPCP: Open event Dec 21 18:50:20 china mpd: [pptp] bundle: OPEN event in state CLOSED Dec 21 18:50:20 china mpd: [pptp] opening link "pptp"... Dec 21 18:50:20 china mpd: [pptp] link: OPEN event Dec 21 18:50:20 china mpd: [pptp] LCP: Open event Dec 21 18:50:20 china mpd: [pptp] LCP: state change Initial --> Starting Dec 21 18:50:20 china mpd: [pptp] LCP: LayerStart Dec 21 18:50:20 china mpd: [pptp] device: OPEN event in state DOWN Dec 21 18:50:20 china mpd: [pptp] attaching to peer's outgoing call Dec 21 18:50:20 china mpd: [pptp] device is now in state OPENING Dec 21 18:50:20 china mpd: [pptp] device: UP event in state OPENING Dec 21 18:50:20 china mpd: [pptp] device is now in state UP Dec 21 18:50:20 china mpd: [pptp] link: UP event Dec 21 18:50:20 china mpd: [pptp] link: origination is remote Dec 21 18:50:20 china mpd: [pptp] LCP: Up event Dec 21 18:50:20 china mpd: [pptp] LCP: state change Starting --> Req-Sent Dec 21 18:50:20 china mpd: [pptp] LCP: phase shift DEAD --> ESTABLISH Dec 21 18:50:20 china mpd: [pptp] LCP: SendConfigReq #17 Dec 21 18:50:20 china mpd: ACFCOMP Dec 21 18:50:20 china mpd: PROTOCOMP Dec 21 18:50:20 china mpd: MRU 1500 Dec 21 18:50:20 china mpd: MAGICNUM 511b49e0 Dec 21 18:50:20 china mpd: AUTHPROTO CHAP MSOFT Dec 21 18:50:20 china mpd: pptp0-0: ignoring SetLinkInfo Dec 21 18:50:20 china mpd: [pptp] LCP: rec'd Configure Request #0 link 0 (Req-Sent) Dec 21 18:50:20 china mpd: MAGICNUM 7f1921b1 Dec 21 18:50:20 china mpd: PROTOCOMP Dec 21 18:50:20 china mpd: ACFCOMP Dec 21 18:50:20 china mpd: CALLBACK Dec 21 18:50:20 china mpd: Not supported Dec 21 18:50:20 china mpd: MP MRRU 1614 Dec 21 18:50:20 china mpd: ENDPOINTDISC [LOCAL] b8 3c 6c 1d 52 9a 4c a4 8b e0 bd 40 68 fa 30 a2 00 00 00 14 Dec 21 18:50:20 china mpd: [pptp] LCP: SendConfigRej #0 Dec 21 18:50:20 china mpd: CALLBACK Dec 21 18:50:20 china mpd: MP MRRU 1614 Dec 21 18:50:21 china mpd: [pptp] LCP: rec'd Configure Request #1 link 0 (Req-Sent) Dec 21 18:50:21 china mpd: MAGICNUM 7f1921b1 Dec 21 18:50:21 china mpd: PROTOCOMP Dec 21 18:50:21 china mpd: ACFCOMP Dec 21 18:50:21 china mpd: ENDPOINTDISC [LOCAL] b8 3c 6c 1d 52 9a 4c a4 8b e0 bd 40 68 fa 30 a2 00 00 00 14 Dec 21 18:50:21 china mpd: [pptp] LCP: SendConfigAck #1 Dec 21 18:50:21 china mpd: MAGICNUM 7f1921b1 Dec 21 18:50:21 china mpd: PROTOCOMP Dec 21 18:50:21 china mpd: ACFCOMP Dec 21 18:50:21 china mpd: ENDPOINTDISC [LOCAL] b8 3c 6c 1d 52 9a 4c a4 8b e0 bd 40 68 fa 30 a2 00 00 00 14 Dec 21 18:50:21 china mpd: [pptp] LCP: state change Req-Sent --> Ack-Sent Dec 21 18:50:22 china mpd: [pptp] LCP: SendConfigReq #18 Dec 21 18:50:22 china mpd: ACFCOMP Dec 21 18:50:22 china mpd: PROTOCOMP Dec 21 18:50:22 china mpd: MRU 1500 Dec 21 18:50:22 china mpd: MAGICNUM 511b49e0 Dec 21 18:50:22 china mpd: AUTHPROTO CHAP MSOFT Dec 21 18:50:22 china mpd: pptp0-0: ignoring SetLinkInfo Dec 21 18:50:22 china mpd: [pptp] LCP: rec'd Configure Ack #18 link 0 (Ack-Sent) Dec 21 18:50:22 china mpd: ACFCOMP Dec 21 18:50:22 china mpd: PROTOCOMP Dec 21 18:50:22 china mpd: MRU 1500 Dec 21 18:50:22 china mpd: MAGICNUM 511b49e0 Dec 21 18:50:22 china mpd: AUTHPROTO CHAP MSOFT Dec 21 18:50:22 china mpd: [pptp] LCP: state change Ack-Sent --> Opened Dec 21 18:50:22 china mpd: [pptp] LCP: phase shift ESTABLISH --> AUTHENTICATE Dec 21 18:50:22 china mpd: [pptp] LCP: auth: peer wants nothing, I want CHAP Dec 21 18:50:22 china mpd: [pptp] CHAP: sending CHALLENGE Dec 21 18:50:22 china mpd: [pptp] LCP: LayerUp Dec 21 18:50:22 china mpd: [pptp] LCP: rec'd Ident #2 link 0 (Opened) Dec 21 18:50:22 china mpd: MESG: MSRASV5.00 Dec 21 18:50:22 china mpd: [pptp] LCP: rec'd Ident #3 link 0 (Opened) Dec 21 18:50:22 china mpd: MESG: MSRAS-1-TIRAMISU Dec 21 18:50:22 china mpd: [pptp] CHAP: rec'd RESPONSE #1 Dec 21 18:50:22 china mpd: Name: "gymkata" Dec 21 18:50:22 china mpd: Peer name: "gymkata" Dec 21 18:50:22 china mpd: Response is valid Dec 21 18:50:22 china mpd: [pptp] CHAP: sending SUCCESS Dec 21 18:50:22 china mpd: [pptp] LCP: authorization successful Dec 21 18:50:22 china mpd: [pptp] LCP: phase shift AUTHENTICATE --> NETWORK Dec 21 18:50:22 china mpd: [pptp] up: 1 link, total bandwidth 64000 bps Dec 21 18:50:22 china mpd: [pptp] IPCP: Up event Dec 21 18:50:22 china mpd: [pptp] IPCP: state change Starting --> Req-Sent Dec 21 18:50:22 china mpd: [pptp] IPCP: SendConfigReq #9 Dec 21 18:50:22 china mpd: IPADDR 10.0.0.5 Dec 21 18:50:22 china mpd: COMPPROTO VJCOMP, 16 comp. channels, no comp-cid Dec 21 18:50:22 china mpd: [pptp] CCP: Open event Dec 21 18:50:22 china mpd: [pptp] CCP: state change Initial --> Starting Dec 21 18:50:22 china mpd: [pptp] CCP: LayerStart Dec 21 18:50:22 china mpd: [pptp] CCP: Up event Dec 21 18:50:22 china mpd: [pptp] CCP: state change Starting --> Req-Sent Dec 21 18:50:22 china mpd: [pptp] CCP: SendConfigReq #8 Dec 21 18:50:23 china mpd: [pptp] CCP: rec'd Configure Request #4 link 0 (Req-Sent) Dec 21 18:50:23 china mpd: MPPC Dec 21 18:50:23 china mpd: 0x010000b1: MPPC MPPE, 40 bit, stateless Dec 21 18:50:23 china mpd: Bits 0x00000090 not supported Dec 21 18:50:23 china mpd: [pptp] CCP: SendConfigNak #4 Dec 21 18:50:23 china mpd: MPPC Dec 21 18:50:23 china mpd: 0x00000000: Dec 21 18:50:23 china mpd: [pptp] IPCP: rec'd Configure Request #5 link 0 (Req-Sent) Dec 21 18:50:23 china mpd: IPADDR 0.0.0.0 Dec 21 18:50:23 china mpd: NAKing with 10.0.0.5 Dec 21 18:50:23 china mpd: PRIDNS 0.0.0.0 Dec 21 18:50:23 china mpd: PRINBNS 0.0.0.0 Dec 21 18:50:23 china mpd: NAKing with 10.0.0.2 Dec 21 18:50:23 china mpd: SECDNS 0.0.0.0 Dec 21 18:50:23 china mpd: SECNBNS 0.0.0.0 Dec 21 18:50:23 china mpd: [pptp] IPCP: SendConfigRej #5 Dec 21 18:50:23 china mpd: PRIDNS 0.0.0.0 Dec 21 18:50:23 china mpd: SECDNS 0.0.0.0 Dec 21 18:50:23 china mpd: SECNBNS 0.0.0.0 Dec 21 18:50:23 china mpd: [pptp] IPCP: rec'd Configure Reject #9 link 0 (Req-Sent) Dec 21 18:50:23 china mpd: COMPPROTO VJCOMP, 16 comp. channels, no comp-cid Dec 21 18:50:23 china mpd: [pptp] IPCP: SendConfigReq #10 Dec 21 18:50:23 china mpd: IPADDR 10.0.0.5 Dec 21 18:50:23 china mpd: [pptp] CCP: rec'd Configure Nak #8 link 0 (Req-Sent) Dec 21 18:50:23 china mpd: MPPC Dec 21 18:50:23 china mpd: 0x00000000: Dec 21 18:50:23 china mpd: [pptp] CCP: SendConfigReq #9 Dec 21 18:50:23 china mpd: pptp0-0: ignoring SetLinkInfo Dec 21 18:50:23 china mpd: [pptp] LCP: rec'd Terminate Request #6 link 0 (Opened) Dec 21 18:50:23 china mpd: [pptp] LCP: state change Opened --> Stopping Dec 21 18:50:23 china mpd: [pptp] LCP: phase shift NETWORK --> TERMINATE Dec 21 18:50:23 china mpd: [pptp] up: 0 links, total bandwidth 9600 bps Dec 21 18:50:23 china mpd: [pptp] IPCP: Down event Dec 21 18:50:23 china mpd: [pptp] IPCP: state change Req-Sent --> Starting Dec 21 18:50:23 china mpd: [pptp] CCP: Down event Dec 21 18:50:23 china mpd: [pptp] CCP: state change Req-Sent --> Starting Dec 21 18:50:23 china mpd: [pptp] CCP: Close event Dec 21 18:50:23 china mpd: [pptp] CCP: state change Starting --> Initial Dec 21 18:50:23 china mpd: [pptp] CCP: LayerFinish Dec 21 18:50:23 china mpd: [pptp] LCP: SendTerminateAck #19 Dec 21 18:50:23 china mpd: [pptp] LCP: LayerDown Dec 21 18:50:24 china mpd: [pptp] LCP: rec'd Terminate Request #7 link 0 (Stopping) Dec 21 18:50:24 china mpd: [pptp] LCP: SendTerminateAck #20 Dec 21 18:50:25 china mpd: [pptp] LCP: state change Stopping --> Stopped Dec 21 18:50:25 china mpd: [pptp] LCP: phase shift TERMINATE --> ESTABLISH Dec 21 18:50:25 china mpd: [pptp] LCP: LayerFinish Dec 21 18:50:25 china mpd: [pptp] device: CLOSE event in state UP Dec 21 18:50:25 china mpd: pptp0-0: clearing call Dec 21 18:50:25 china mpd: pptp0-0: killing channel Dec 21 18:50:25 china mpd: [pptp] PPTP call terminated Dec 21 18:50:25 china mpd: [pptp] IFACE: Close event Dec 21 18:50:25 china mpd: [pptp] IPCP: Close event Dec 21 18:50:25 china mpd: [pptp] IPCP: state change Starting --> Initial Dec 21 18:50:25 china mpd: [pptp] IPCP: LayerFinish Dec 21 18:50:25 china mpd: [pptp] IFACE: Close event Dec 21 18:50:25 china mpd: pptp0: closing connection with 216.186.220.112:4100 Dec 21 18:50:25 china mpd: [pptp] IFACE: Close event Dec 21 18:50:25 china mpd: [pptp] device is now in state CLOSING Dec 21 18:50:25 china mpd: [pptp] bundle: CLOSE event in state OPENED Dec 21 18:50:25 china mpd: [pptp] closing link "pptp"... Dec 21 18:50:25 china mpd: [pptp] device: DOWN event in state CLOSING Dec 21 18:50:25 china mpd: [pptp] device is now in state DOWN Dec 21 18:50:25 china mpd: [pptp] link: CLOSE event Dec 21 18:50:25 china mpd: [pptp] LCP: Close event Dec 21 18:50:25 china mpd: [pptp] LCP: state change Stopped --> Closed Dec 21 18:50:25 china mpd: [pptp] device: DOWN event in state DOWN Dec 21 18:50:25 china mpd: [pptp] device is now in state DOWN Dec 21 18:50:25 china mpd: [pptp] link: DOWN event Dec 21 18:50:25 china mpd: [pptp] LCP: Down event Dec 21 18:50:25 china mpd: [pptp] LCP: state change Closed --> Initial Dec 21 18:50:25 china mpd: [pptp] LCP: phase shift ESTABLISH --> DEAD Dec 21 18:50:25 china mpd: [pptp] link: DOWN event Dec 21 18:50:25 china mpd: [pptp] LCP: Down event Dec 21 18:50:25 china mpd: pptp0: invalid length 16 for type 4 Dec 21 18:50:25 china mpd: pptp0: killing connection with 216.186.220.112:4100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 21 23:42:26 2000 From owner-freebsd-net@FreeBSD.ORG Thu Dec 21 23:42:23 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from nw174.netaddress.usa.net (nw174.netaddress.usa.net [204.68.24.74]) by hub.freebsd.org (Postfix) with SMTP id AC1AD37B400 for ; Thu, 21 Dec 2000 23:42:23 -0800 (PST) Received: (qmail 20125 invoked by uid 60001); 22 Dec 2000 07:42:11 -0000 Message-ID: <20001222074211.20124.qmail@nw174.netaddress.usa.net> Received: from 204.68.24.74 by nw174 for [213.226.6.17] via web-mailer(34FM.0700.4B.01) on Fri Dec 22 07:42:11 GMT 2000 Date: 22 Dec 00 00:42:11 MST From: John Smith To: Archie Cobbs Subject: Re: [Re: New netgraph features?] Cc: freebsd-net@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: USANET web-mailer (34FM.0700.4B.01) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Archie Cobbs wrote: >John Smith writes: >> Well, may be I didn't said exactly what I wanted to. >> If we use say, ksocket nodes as a tunnel, we will >> transfer the data - ok, but what about metadata? >> May be I should say 'to connect two netgraphs'? >> May be this is a lost cause, but that's why I'm asking. > >Yes, there would need to be some extra stuff. Here are some >quick possibilities.. > >- We'd need to enhace the definition of a netgraph address > to include, say, an IP address, eg.: > > $ ngctl msg 192.168.1.12:foo: blah blah Well, I was thinking about this. I would like to share this pre-idea and to receive your opinions. I have one question here. Why should it be limited to UDP... (or whatever protocol)? Are we going to loose something, if we, say, create special node for 'netgraph tunneling' (so that it may ot may not be included into a running kernel) then connect this node to another one, which will be used for 'transport' layer. Such a node could possibly be used to encode/decode the inter-netgraph messages. Other nodes' names then should include the transport layer address. This way I think we won't get limited to one protcol... = Comments? > >- Encode control messsages in their ASCII forms for transit > across the network > >- Pick a well known UDP port to be used for netgraph messages > and data packets > >- Create a node type that could listen on this port (using ng_ksocket) > and do the required encoding/decoding. > >-Archie > >________________________________________________________________________= _ >Archie Cobbs * Packet Design * >http://www.packetdesign.= com ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 1:27:44 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 01:27:39 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from freesbee.wheel.dk (freesbee.wheel.dk [193.162.159.97]) by hub.freebsd.org (Postfix) with ESMTP id 80B6937B400; Fri, 22 Dec 2000 01:27:35 -0800 (PST) Received: by freesbee.wheel.dk (Postfix, from userid 1001) id 5D8EF3E49; Fri, 22 Dec 2000 10:27:34 +0100 (CET) Date: Fri, 22 Dec 2000 10:27:34 +0100 From: Jesper Skriver To: Don Lewis Cc: Kris Kennaway , Poul-Henning Kamp , security-officer@FreeBSD.ORG, cvs-all@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: what to do now ? Was: cvs commit: src/sys/netinet ip_icmp.c tcp_subr.c tcp_var.h Message-ID: <20001222102734.B86219@skriver.dk> References: <20001218182600.C1856@skriver.dk> <20001219222730.A29741@skriver.dk> <200012201046.CAA19456@salsa.gv.tsc.tdk.com> <20001220155118.N81814@skriver.dk> <200012212336.PAA27025@salsa.gv.tsc.tdk.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012212336.PAA27025@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Thu, Dec 21, 2000 at 03:36:52PM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 21, 2000 at 03:36:52PM -0800, Don Lewis wrote: > On Dec 20, 3:51pm, Jesper Skriver wrote: > } > We should also bail out if the sequence check fails, > } > since it isn't possible for there to be another connection with the same > } > src/srcport/dst/dstport, so there is no sense in continuing the search. > } > } That is was we do right ? > } > } First we check if src/dst ip address and port numbers match, if not we > } bail out, so if we reach the above check we know these match, then we > } check for tcp sequence number, if this doesn't match we bail out. > > If the src/dst addresses and port numbers don't match, we start the next > iteration of the loop. If the sequence numbers don't match, we want to > exit the loop. I believe the continue should be changed to a break. Agree, a minor change I'll get PHK to put into the diff he's about to commit. > I'll pretty much be off the net until the new year, so I won't be able > to perform any further reviews until then. Happy new year and a merry Xmas. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: Geek @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 6:33:49 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 06:33:45 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from critter.freebsd.dk (flutter.freebsd.dk [212.242.40.147]) by hub.freebsd.org (Postfix) with ESMTP id DE91A37B402; Fri, 22 Dec 2000 06:33:43 -0800 (PST) Received: from critter (localhost [127.0.0.1]) by critter.freebsd.dk (8.11.1/8.11.1) with ESMTP id eBMC4Yb70740; Fri, 22 Dec 2000 13:04:34 +0100 (CET) (envelope-from phk@critter.freebsd.dk) To: Archie Cobbs Cc: John Smith , freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: New netgraph features? In-Reply-To: Your message of "Thu, 21 Dec 2000 13:57:10 PST." <200012212157.eBLLvAU78207@curve.dellroad.org> Date: Fri, 22 Dec 2000 13:04:34 +0100 Message-ID: <70738.977486674@critter> From: Poul-Henning Kamp Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I may not have caught the drift here, but if you send meta-data across the net, wouldn't some kind of authentication be needed ? Poul-Henning In message <200012212157.eBLLvAU78207@curve.dellroad.org>, Archie Cobbs writes: >John Smith writes: >> Well, may be I didn't said exactly what I wanted to. >> If we use say, ksocket nodes as a tunnel, we will >> transfer the data - ok, but what about metadata? >> May be I should say 'to connect two netgraphs'? >> May be this is a lost cause, but that's why I'm asking. > >Yes, there would need to be some extra stuff. Here are some >quick possibilities.. > >- We'd need to enhace the definition of a netgraph address > to include, say, an IP address, eg.: > > $ ngctl msg 192.168.1.12:foo: blah blah > >- Encode control messsages in their ASCII forms for transit > across the network > >- Pick a well known UDP port to be used for netgraph messages > and data packets > >- Create a node type that could listen on this port (using ng_ksocket) > and do the required encoding/decoding. > >-Archie > >__________________________________________________________________________ >Archie Cobbs * Packet Design * http://www.packetdesign.com > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-hackers" in the body of the message > -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 8: 8: 3 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 08:08:01 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from nwcst276.netaddress.usa.net (nwcst276.netaddress.usa.net [204.68.23.21]) by hub.freebsd.org (Postfix) with SMTP id 98DFB37B400 for ; Fri, 22 Dec 2000 08:08:00 -0800 (PST) Received: (qmail 8888 invoked by uid 60001); 22 Dec 2000 16:07:54 -0000 Message-ID: <20001222160754.8887.qmail@nwcst276.netaddress.usa.net> Received: from 204.68.23.21 by nwcst276 for [213.226.6.17] via web-mailer(34FM.0700.4B.01) on Fri Dec 22 16:07:54 GMT 2000 Date: 22 Dec 00 09:07:54 MST From: John Smith To: phk@critter.freebsd.dk Subject: Re: New netgraph features? Cc: archie@dellroad.org, freebsd-net@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: USANET web-mailer (34FM.0700.4B.01) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Poul-Henning Kamp wrote: >I may not have caught the drift here, but if you send meta-data >across the net, wouldn't some kind of authentication be needed? Yes, It must be. This is probably the next-in-thread request for comments/suggestions. I'm still not sure if the whole thing would be usef= ul, so, the authentication methods seem too far to me at the present time. If= you have any comments about this... I think you know what to do :) ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=3D= 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 8:32:36 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 08:32:34 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from demai05.mw.mediaone.net (demai05.mw.mediaone.net [24.131.1.56]) by hub.freebsd.org (Postfix) with ESMTP id 7A77537B400 for ; Fri, 22 Dec 2000 08:32:34 -0800 (PST) Received: from jose (nic-131-c192-209.mw.mediaone.net [24.131.192.209]) by demai05.mw.mediaone.net (8.8.7/8.8.7) with SMTP id LAA24547 for ; Fri, 22 Dec 2000 11:32:32 -0500 (EST) Message-ID: <003a01c06c34$d5207ff0$d1c08318@jose> From: "Jeremy Karteczka" To: Subject: Intel fxp driver Date: Fri, 22 Dec 2000 11:32:52 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings, Can anyone tell me if the Intel 82559 based NICs are supported currently? This is the chip on the PILA8460B and PILA8460BN. Thanks in advance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 8:44:12 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 08:44:09 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (Postfix) with ESMTP id E875C37B400; Fri, 22 Dec 2000 08:44:08 -0800 (PST) Received: from whizzo.transsys.com (localhost.transsys.com [127.0.0.1]) by whizzo.transsys.com (8.11.1/8.11.0) with ESMTP id eBMGeR536245; Fri, 22 Dec 2000 11:40:27 -0500 (EST) (envelope-from louie@whizzo.transsys.com) Message-Id: <200012221640.eBMGeR536245@whizzo.transsys.com> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: John Smith Cc: phk@critter.freebsd.dk, archie@dellroad.org, freebsd-net@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg From: "Louis A. Mamakos" Subject: Re: New netgraph features? References: <20001222160754.8887.qmail@nwcst276.netaddress.usa.net> In-reply-to: Your message of "22 Dec 2000 09:07:54 MST." <20001222160754.8887.qmail@nwcst276.netaddress.usa.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 22 Dec 2000 11:40:27 -0500 Sender: louie@TransSys.COM Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Poul-Henning Kamp wrote: > >I may not have caught the drift here, but if you send meta-data > >across the net, wouldn't some kind of authentication be needed? > > Yes, It must be. This is probably the next-in-thread request for > comments/suggestions. I'm still not sure if the whole thing would be useful, > so, the authentication methods seem too far to me at the present time. If you > have any comments about this... I think you know what to do :) Assuming you can use the administrative/policy model, you can probably use IPSEC AH and get this "for free." louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 9:49:36 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 09:49:31 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from InterJet.dellroad.org (adsl-63-194-81-26.dsl.snfc21.pacbell.net [63.194.81.26]) by hub.freebsd.org (Postfix) with ESMTP id 76DBC37B400; Fri, 22 Dec 2000 09:49:26 -0800 (PST) Received: from curve.dellroad.org (curve.dellroad.org [10.1.1.30]) by InterJet.dellroad.org (8.9.1a/8.9.1) with ESMTP id JAA43179; Fri, 22 Dec 2000 09:49:25 -0800 (PST) Received: (from archie@localhost) by curve.dellroad.org (8.11.0/8.11.0) id eBMHnPG81236; Fri, 22 Dec 2000 09:49:25 -0800 (PST) (envelope-from archie) From: Archie Cobbs Message-Id: <200012221749.eBMHnPG81236@curve.dellroad.org> Subject: Re: [Re: New netgraph features?] In-Reply-To: <20001222074211.20124.qmail@nw174.netaddress.usa.net> "from John Smith at Dec 22, 2000 00:42:11 am" To: John Smith Date: Fri, 22 Dec 2000 09:49:25 -0800 (PST) Cc: freebsd-net@freebsd.org, freebsd-hackers@freebsd.org X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Smith writes: > >- We'd need to enhace the definition of a netgraph address > > to include, say, an IP address, eg.: > > > > $ ngctl msg 192.168.1.12:foo: blah blah > > Well, I was thinking about this. I would like to share > this pre-idea and to receive your opinions. > I have one question here. Why should it be limited > to UDP... (or whatever protocol)? Are we going to > loose something, if we, say, create special node > for 'netgraph tunneling' (so that it may ot may not > be included into a running kernel) then connect > this node to another one, which will be used for > 'transport' layer. Such a node could possibly be > used to encode/decode the inter-netgraph messages. > Other nodes' names then should include > the transport layer address. This way I think we > won't get limited to one protcol... Your idea of being protocol agnostic is more general.. however, there is a slightly larger problem I didn't mention before. Address syntax is parsed by the base code (ng_base.c). The syntax of an address is not something an individual node gets to decide.. so there are two possibilities.. You could do multi-host netgraph using a "private" addressing scheme, simply by defining a control message that contained inside it an IP address (or whatever), a netgraph address on the remote machine, and a payload control message. Then write a node that knows how to (de)encapsulate these control messages and send/recv them over the network. But then you have something like this: $ ngctl msg relaynode: { ip=192.168.1.12 addr="foo:" ... } instead of this: $ ngctl msg 192.168.1.12:foo: blah blah To get the "cooler" case #2 behavior, there would need to be "global" knowledge of the addressing scheme, which is of course tied into the delivery protocol because the generalized netgraph address must contain a protocol address (IP address or whatever). Now.. we do have a syntax for describing a struct sockaddr of any type (eg, ng_ksocket(4) node). So the protocol address could just be an ASCII struct sockaddr and that would be as general as it gets. -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 11:20:53 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 11:20:51 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from implode.root.com (root.com [209.102.106.178]) by hub.freebsd.org (Postfix) with ESMTP id 2337A37B400 for ; Fri, 22 Dec 2000 11:20:49 -0800 (PST) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.8/8.8.5) with ESMTP id LAA28791; Fri, 22 Dec 2000 11:16:23 -0800 (PST) Message-Id: <200012221916.LAA28791@implode.root.com> To: "Jeremy Karteczka" Cc: freebsd-net@FreeBSD.ORG Subject: Re: Intel fxp driver In-reply-to: Your message of "Fri, 22 Dec 2000 11:32:52 EST." <003a01c06c34$d5207ff0$d1c08318@jose> From: David Greenman Reply-To: dg@root.com Date: Fri, 22 Dec 2000 11:16:23 -0800 Sender: dg@implode.root.com Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Greetings, >Can anyone tell me if the Intel 82559 based NICs are supported currently? This >is the chip on the PILA8460B and PILA8460BN. Yes, it's supported. -DG David Greenman Co-founder, The FreeBSD Project - http://www.freebsd.org President, TeraSolutions, Inc. - http://www.terasolutions.com Pave the road of life with opportunities. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 13:24:14 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 13:24:10 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from rigel.cs.pdx.edu (rigel.cs.pdx.edu [131.252.208.59]) by hub.freebsd.org (Postfix) with ESMTP id CD64F37B402; Fri, 22 Dec 2000 13:24:09 -0800 (PST) Received: from pollux.cs.pdx.edu (harkirat@pollux.cs.pdx.edu [131.252.223.76]) by rigel.cs.pdx.edu (8.9.1/8.9.1) with ESMTP id NAA27614; Fri, 22 Dec 2000 13:24:09 -0800 (PST) Received: from localhost (harkirat@localhost) by pollux.cs.pdx.edu (8.8.6/8.8.5) with ESMTP id NAA00334; Fri, 22 Dec 2000 13:24:08 -0800 (PST) X-Authentication-Warning: pollux.cs.pdx.edu: harkirat owned process doing -bs Date: Fri, 22 Dec 2000 13:24:08 -0800 (PST) From: Harkitrat Singh To: network Cc: questions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I have /etc/rc.conf file as under: linux_enable="YES" server="daemon" gateway_enable"="YES" sshd_enable="YES" portmap_enable="YES" nfs_client_enable="YES" inetd_enable="YES" network_interfaces="ep0 lo0" pccard_ifconfig="DHCP" ifconfig_ep0="DHCP" hostname="cat.pdx.edu" pccard_enable="YES" pccard_flags=" -i 3 -i 6" pccard_men="DEFAULT" I have a problem with ping, I have the nameserver address (IP) in /etc/resolv.conf. Could someone tell me is there any problem with /etc/rc.conf and what is the meaning of pccard_flags="-i 3 -i 6". Urgent help is requested. Thanks, Harkirat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 13:48: 3 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 13:48:01 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.integratus.com (unknown [63.209.2.83]) by hub.freebsd.org (Postfix) with SMTP id C47CF37B402 for ; Fri, 22 Dec 2000 13:48:00 -0800 (PST) Received: (qmail 16882 invoked from network); 22 Dec 2000 21:47:50 -0000 Received: from kungfu.integratus.com (HELO integratus.com) (172.20.5.168) by tortuga1.integratus.com with SMTP; 22 Dec 2000 21:47:50 -0000 Sender: jar@FreeBSD.ORG Message-ID: <3A43CC06.DD56C1BF@integratus.com> Date: Fri, 22 Dec 2000 13:47:50 -0800 From: Jack Rusher Organization: http://www.integratus.com/ X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: John Smith Cc: Archie Cobbs , freebsd-net@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: [Re: New netgraph features?] References: <20001222074211.20124.qmail@nw174.netaddress.usa.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Smith wrote: > > loose something, if we, say, create special node > for 'netgraph tunneling' (so that it may ot may not I would like to see netgraph used to facilitate shared coherent interface support for FreeBSD (very valuable for clustering). Does anyone have an opinion on the difficulty of hacking something like this into the tunnel node code? -- Jack Rusher, Senior Engineer | mailto:jar@integratus.com Integratus, Inc. | http://www.integratus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 16:27:21 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 16:27:18 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 993F837B402; Fri, 22 Dec 2000 16:27:17 -0800 (PST) Received: from gaborone-56.budapest.interware.hu ([195.70.52.184] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 149cWn-00024H-00; Sat, 23 Dec 2000 01:27:13 +0100 Sender: julian@FreeBSD.ORG Message-ID: <3A43F12B.1E24B658@elischer.org> Date: Fri, 22 Dec 2000 16:26:19 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: John Smith Cc: phk@critter.freebsd.dk, archie@dellroad.org, freebsd-net@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: New netgraph features? References: <20001222160754.8887.qmail@nwcst276.netaddress.usa.net> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org John Smith wrote: > > Poul-Henning Kamp wrote: > >I may not have caught the drift here, but if you send meta-data > >across the net, wouldn't some kind of authentication be needed? > > Yes, It must be. This is probably the next-in-thread request for > comments/suggestions. I'm still not sure if the whole thing would be useful, > so, the authentication methods seem too far to me at the present time. If you > have any comments about this... I think you know what to do :) Netgraph was designed to be a link-level patch-pannel within ONE machine.. I guess you might be able to use it to bridge between two networks that are on different machines... but.... -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ from Perth, presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 22 16:34: 7 2000 From owner-freebsd-net@FreeBSD.ORG Fri Dec 22 16:34:05 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mail.interware.hu (mail.interware.hu [195.70.32.130]) by hub.freebsd.org (Postfix) with ESMTP id 9D42737B400 for ; Fri, 22 Dec 2000 16:34:04 -0800 (PST) Received: from gaborone-56.budapest.interware.hu ([195.70.52.184] helo=elischer.org) by mail.interware.hu with esmtp (Exim 3.16 #1 (Debian)) id 149cdO-0002L4-00; Sat, 23 Dec 2000 01:34:03 +0100 Sender: julian@FreeBSD.ORG Message-ID: <3A43F2C4.45A4B77A@elischer.org> Date: Fri, 22 Dec 2000 16:33:08 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Jack Rusher Cc: John Smith , freebsd-net@freebsd.org Subject: Re: [Re: New netgraph features?] References: <20001222074211.20124.qmail@nw174.netaddress.usa.net> <3A43CC06.DD56C1BF@integratus.com> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jack Rusher wrote: > > John Smith wrote: > > > > loose something, if we, say, create special node > > for 'netgraph tunneling' (so that it may ot may not > > I would like to see netgraph used to facilitate shared coherent > interface support for FreeBSD (very valuable for clustering). Does > anyone have an opinion on the difficulty of hacking something like this > into the tunnel node code? > can you describe it better? -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000 ---> X_.---._/ from Perth, presently in: Budapest v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Dec 23 17:16:14 2000 From owner-freebsd-net@FreeBSD.ORG Sat Dec 23 17:16:13 2000 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from coconut.itojun.org (coconut.itojun.org [210.160.95.97]) by hub.freebsd.org (Postfix) with ESMTP id C057F37B400 for ; Sat, 23 Dec 2000 17:16:11 -0800 (PST) Received: from kiwi.itojun.org (localhost.itojun.org [127.0.0.1]) by coconut.itojun.org (8.9.3+3.2W/3.7W) with ESMTP id KAA26877; Sun, 24 Dec 2000 10:15:30 +0900 (JST) To: Luigi Rizzo Cc: andy@andy.de (Andreas Gerstenberg), freebsd-net@FreeBSD.ORG In-reply-to: rizzo's message of Thu, 21 Dec 2000 12:46:41 PST. <200012212046.eBLKkfe87614@iguana.aciri.org> X-Template-Reply-To: itojun@itojun.org X-Template-Return-Receipt-To: itojun@itojun.org X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2 Subject: Re: GRE implementation? From: itojun@iijlab.net Date: Sun, 24 Dec 2000 10:15:30 +0900 Message-ID: <26875.977620530@coconut.itojun.org> Sender: itojun@itojun.org Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Note though that itojun warned me that this code might conflict >with future use of the link2 flag from the KAME project. FYI: latest kame code already uses LINK2, to control ingress filter behavior in gif/stf. itojun To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message