From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 2 03:28:16 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2428616A4CE; Sun, 2 Jan 2005 03:28:16 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A12D43D2D; Sun, 2 Jan 2005 03:28:16 +0000 (GMT) (envelope-from csjp@FreeBSD.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j023SF5d058875; Sun, 2 Jan 2005 03:28:15 GMT (envelope-from csjp@freefall.freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j023SFhY058874; Sun, 2 Jan 2005 03:28:15 GMT (envelope-from csjp) Date: Sun, 2 Jan 2005 03:28:15 +0000 From: "Christian S.J. Peron" To: ipfw@freebsd.org Message-ID: <20050102032815.GA58777@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i cc: andre@freebsd.org cc: rwatson@freebsd.org Subject: [patch] changed state allocations to use UMA X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2005 03:28:16 -0000 I have generated a patch which changes the state allocation in IPFW from malloc(9) to uma_zcreate(9). This should minimize memory wastage associated with firewall states and improve the performance of state creation, destruction and in lookups. Anyone have any problems with this patch being committed? http://people.freebsd.org/~csjp/ip_fw2.c.uma_zone.1104636041.diff Index: ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.85 diff -u -r1.85 ip_fw2.c --- ip_fw2.c 10 Dec 2004 02:17:18 -0000 1.85 +++ ip_fw2.c 2 Jan 2005 03:21:04 -0000 @@ -101,6 +101,7 @@ static int verbose_limit; static struct callout ipfw_timeout; +static uma_zone_t ipfw_dyn_rule_zone; #define IPFW_DEFAULT_RULE 65535 /* @@ -782,7 +783,7 @@ else \ head = q = q->next; \ dyn_count--; \ - free(old_q, M_IPFW); } + uma_zfree(ipfw_dyn_rule_zone, old_q); } #define TIME_LEQ(a,b) ((int)((a)-(b)) <= 0) @@ -1058,7 +1059,7 @@ } i = hash_packet(id); - r = malloc(sizeof *r, M_IPFW, M_NOWAIT | M_ZERO); + r = uma_zalloc(ipfw_dyn_rule_zone, M_NOWAIT | M_ZERO); if (r == NULL) { printf ("ipfw: sorry cannot allocate state\n"); return NULL; @@ -3504,6 +3505,9 @@ layer3_chain.busy_count = 0; cv_init(&layer3_chain.cv, "Condition variable for IPFW rw locks"); IPFW_LOCK_INIT(&layer3_chain); + ipfw_dyn_rule_zone = uma_zcreate("IPFW dynamic rule zone", + sizeof(ipfw_dyn_rule), NULL, NULL, NULL, NULL, + UMA_ALIGN_PTR, 0); IPFW_DYN_LOCK_INIT(); callout_init(&ipfw_timeout, debug_mpsafenet ? CALLOUT_MPSAFE : 0); @@ -3585,6 +3589,7 @@ reap_rules(reap); flush_tables(); IPFW_DYN_LOCK_DESTROY(); + uma_zdestroy(ipfw_dyn_rule_zone); IPFW_LOCK_DESTROY(&layer3_chain); printf("IP firewall unloaded\n"); } -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer From owner-freebsd-ipfw@FreeBSD.ORG Sun Jan 2 14:34:26 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4ECCE16A4CE; Sun, 2 Jan 2005 14:34:26 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CB0F43D46; Sun, 2 Jan 2005 14:34:26 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j02EYQNL034766; Sun, 2 Jan 2005 14:34:26 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j02EYQEw034762; Sun, 2 Jan 2005 14:34:26 GMT (envelope-from arved) Date: Sun, 2 Jan 2005 14:34:26 GMT From: Tilman Linneweh Message-Id: <200501021434.j02EYQEw034762@freefall.freebsd.org> To: arved@FreeBSD.org, freebsd-i386@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: i386/75483: ipfw count does not count X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Jan 2005 14:34:26 -0000 Synopsis: ipfw count does not count Responsible-Changed-From-To: freebsd-i386->ipfw Responsible-Changed-By: arved Responsible-Changed-When: Sun Jan 2 14:34:01 GMT 2005 Responsible-Changed-Why: Over to ipfw Mailinglist for review http://www.freebsd.org/cgi/query-pr.cgi?pr=75483 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 3 11:02:30 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 941AA16A4CE for ; Mon, 3 Jan 2005 11:02:30 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8397043D45 for ; Mon, 3 Jan 2005 11:02:30 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j03B2Uch006577 for ; Mon, 3 Jan 2005 11:02:30 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j03B2TiJ006571 for ipfw@freebsd.org; Mon, 3 Jan 2005 11:02:29 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 3 Jan 2005 11:02:29 GMT Message-Id: <200501031102.j03B2TiJ006571@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Jan 2005 11:02:30 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jan 6 21:57:36 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99F6816A4CE for ; Thu, 6 Jan 2005 21:57:36 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44E5B43D58 for ; Thu, 6 Jan 2005 21:57:36 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id j06LxN6v003384 for ; Thu, 6 Jan 2005 13:59:23 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id j06LxNYr003383 for freebsd-ipfw@freebsd.org; Thu, 6 Jan 2005 13:59:23 -0800 Date: Thu, 6 Jan 2005 13:59:23 -0800 From: Brooks Davis To: freebsd-ipfw@freebsd.org Message-ID: <20050106215923.GA31004@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu Subject: [PATCH] deprecating abrevations in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jan 2005 21:57:36 -0000 The ipfw program's code is littered with unmaintainable uses of strncmp to implement abbreviations. The following patch replaces those with two new functions which simplify the code and produce warnings that the syntax is deprecated. In a future release, those can be converted to hard errors and then finally the code can revert to using strcmp. The intention is to explicitly support a small number of abbreviations that actually make sense rather then allowing arbitrary shortening of some words. When I examined the code, I found three types of uses of strncmp. Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av to match string or any shortened form of it. I have replaced this with a new function _substrcmp(av, "string") which returns 0 if av is a substring of "string", but emits a warning if av is not exactly "string". The next type was two instances of strncmp(av, "by", 2) which allowed the abbreviation of bytes to "by", "byt", etc. Unfortunately, it also supports "bykHUygh&*g&*7*ui". I added a second new function _substrcmp2(av, "by", "bytes") which acts like the strncmp did, but complains if the user doesn't spell out the word "bytes". There was also one correct use of strncmp to match "table(" which might have another token after it. Since I was changing all the lines anyway, also fixed the treatment of strncmp's return as a boolean in many cases. I did modify a few strcmp cases as well to be fully consistent. Once final feature of this patch is a slight rewrite of match_token and match_value. The match_token changes make the code more readable in my opinion. However, it's possible that for very large rule files, the old form is enough cheaper then the new form that it's noticeable. The changes to match_value simply make its variable names and flow more like match_token. I'd probably commit the separately. Any objections to this patch? I plan to MFC this to RELENG_5 after a commit to HEAD. -- Brooks ==== //depot/user/brooks/dingo/sbin/ipfw/ipfw2.c#1 - /home/brooks/working/freebsd/p4/dingo/sbin/ipfw/ipfw2.c ==== @@ -427,10 +427,12 @@ match_token(struct _s_x *table, char *string) { struct _s_x *pt; - uint i = strlen(string); + + if (strlen(string) == 0) + return -1; - for (pt = table ; i && pt->s != NULL ; pt++) - if (strlen(pt->s) == i && !bcmp(string, pt->s, i)) + for (pt = table ; pt->s != NULL ; pt++) + if (strcmp(string, pt->s) == 0) return pt->x; return -1; } @@ -440,15 +442,67 @@ * with the value (NULL in case of failure). */ static char const * -match_value(struct _s_x *p, int value) +match_value(struct _s_x *table, int value) { - for (; p->s != NULL; p++) - if (p->x == value) - return p->s; + struct _s_x *pt; + + for (pt = table; pt->s != NULL; pt++) + if (pt->x == value) + return pt->s; return NULL; } /* + * _substrcmp takes two strings and returns 1 if they do not match, + * and 0 if they match exactly or the first string is a sub-string + * of the second. A warning is printed to stderr in the case that the + * first string is a sub-string of the second. + * + * This function will be removed in the future through the usual + * deprecation process. + */ +static int +_substrcmp(const char *str1, const char* str2) +{ + + if (strncmp(str1, str2, strlen(str1)) != 0) + return 1; + + if (strlen(str1) != strlen(str2)) + warnx("DEPRECATED: '%s' matched '%s' as a sub-string", + str1, str2); + return 0; +} + +/* + * _substrcmp2 takes three strings and returns 1 if the first two do not match, + * and 0 if they match exactly or the second string is a sub-string + * of the first. A warning is printed to stderr in the case that the + * first string does not match the third. + * + * This function exists to warn about the bizzare construction + * strncmp(str, "by", 2) which is used to allow people to use a shotcut + * for "bytes". The problem is that in addition to accepting "by", + * "byt", "byte", and "bytes", it also excepts "by_rabid_dogs" and any + * other string beginning with "by". + * + * This function will be removed in the future through the usual + * deprecation process. + */ +static int +_substrcmp2(const char *str1, const char* str2, const char* str3) +{ + + if (strncmp(str1, str2, strlen(str2)) != 0) + return 1; + + if (strcmp(str1, str3) != 0) + warnx("DEPRECATED: '%s' matched '%s'", + str1, str3); + return 0; +} + +/* * prints one port, symbolic or numeric */ static void @@ -1760,7 +1814,7 @@ if (!ac) errx(EX_USAGE, "set needs command"); - if (!strncmp(*av, "show", strlen(*av)) ) { + if (_substrcmp(*av, "show") == 0) { void *data; char const *msg; @@ -1784,7 +1838,7 @@ msg = ""; } printf("\n"); - } else if (!strncmp(*av, "swap", strlen(*av))) { + } else if (_substrcmp(*av, "swap") == 0) { ac--; av++; if (ac != 2) errx(EX_USAGE, "set swap needs 2 set numbers\n"); @@ -1796,14 +1850,14 @@ errx(EX_DATAERR, "invalid set number %s\n", av[1]); masks[0] = (4 << 24) | (new_set << 16) | (rulenum); i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t)); - } else if (!strncmp(*av, "move", strlen(*av))) { + } else if (_substrcmp(*av, "move") == 0) { ac--; av++; - if (ac && !strncmp(*av, "rule", strlen(*av))) { + if (ac && _substrcmp(*av, "rule") == 0) { cmd = 2; ac--; av++; } else cmd = 3; - if (ac != 3 || strncmp(av[1], "to", strlen(*av))) + if (ac != 3 || _substrcmp(av[1], "to") != 0) errx(EX_USAGE, "syntax: set move [rule] X to Y\n"); rulenum = atoi(av[0]); new_set = atoi(av[2]); @@ -1814,9 +1868,9 @@ errx(EX_DATAERR, "invalid dest. set %s\n", av[1]); masks[0] = (cmd << 24) | (new_set << 16) | (rulenum); i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t)); - } else if (!strncmp(*av, "disable", strlen(*av)) || - !strncmp(*av, "enable", strlen(*av)) ) { - int which = !strncmp(*av, "enable", strlen(*av)) ? 1 : 0; + } else if (_substrcmp(*av, "disable") == 0 || + _substrcmp(*av, "enable") == 0 ) { + int which = _substrcmp(*av, "enable") == 0 ? 1 : 0; ac--; av++; masks[0] = masks[1] = 0; @@ -1828,9 +1882,9 @@ errx(EX_DATAERR, "invalid set number %d\n", i); masks[which] |= (1<o.len &= ~F_LEN_MASK; /* zero len */ - if (!strncmp(av, "any", strlen(av))) + if (_substrcmp(av, "any") == 0) return; - if (!strncmp(av, "me", strlen(av))) { + if (_substrcmp(av, "me") == 0) { cmd->o.len |= F_INSN_SIZE(ipfw_insn); return; } - if (!strncmp(av, "table(", 6)) { + if (strncmp(av, "table(", 6) == 0) { char *p = strchr(av + 6, ','); if (p) @@ -2341,7 +2395,7 @@ av++; ac--; NEED1("missing rule specification"); - if (ac > 0 && !strncmp(*av, "set", strlen(*av))) { + if (ac > 0 && _substrcmp(*av, "set") == 0) { do_set = 1; /* delete set */ ac--; av++; } @@ -2389,7 +2443,7 @@ cmd->o.len |= F_INSN_SIZE(ipfw_insn_if); /* Parse the interface or address */ - if (!strcmp(arg, "any")) + if (strcmp(arg, "any") == 0) cmd->o.len = 0; /* effectively ignore this command */ else if (!isdigit(*arg)) { strlcpy(cmd->name, arg, sizeof(cmd->name)); @@ -2446,7 +2500,8 @@ if (*end == 'K' || *end == 'k') { p.fs.flags_fs |= DN_QSIZE_IS_BYTES; p.fs.qsize *= 1024; - } else if (*end == 'B' || !strncmp(end, "by", 2)) { + } else if (*end == 'B' || + _substrcmp2(end, "by", "bytes") == 0) { p.fs.flags_fs |= DN_QSIZE_IS_BYTES; } ac--; av++; @@ -2603,7 +2658,8 @@ end++; p.bandwidth *= 1000000; } - if (*end == 'B' || !strncmp(end, "by", 2)) + if (*end == 'B' || + _substrcmp2(end, "by", "bytes") == 0) p.bandwidth *= 8; if (p.bandwidth < 0) errx(EX_DATAERR, "bandwidth too large"); @@ -2736,7 +2792,7 @@ for (i=0; i<6; i++) addr[i] = mask[i] = 0; - if (!strcmp(p, "any")) + if (strcmp(p, "any") == 0) return; for (i=0; *p && i<6;i++, p++) { @@ -2857,7 +2913,7 @@ struct protoent *pe; u_char proto = 0; - if (!strncmp(av, "all", strlen(av))) + if (_substrcmp(av, "all") == 0) ; /* same as "ip" */ else if ((proto = atoi(av)) > 0) ; /* all done! */ @@ -2907,7 +2963,7 @@ static ipfw_insn * add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode) { - if (!strncmp(av, "any", strlen(av))) { + if (_substrcmp(av, "any") == 0) { return NULL; } else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) { /* XXX todo: check that we have a protocol with ports */ @@ -2979,7 +3035,7 @@ } /* [set N] -- set number (0..RESVD_SET), optional */ - if (ac > 1 && !strncmp(*av, "set", strlen(*av))) { + if (ac > 1 && _substrcmp(*av, "set") == 0) { int set = strtoul(av[1], NULL, 10); if (set < 0 || set > RESVD_SET) errx(EX_DATAERR, "illegal set %s", av[1]); @@ -2988,7 +3044,7 @@ } /* [prob D] -- match probability, optional */ - if (ac > 1 && !strncmp(*av, "prob", strlen(*av))) { + if (ac > 1 && _substrcmp(*av, "prob") == 0) { match_prob = strtod(av[1], NULL); if (match_prob <= 0 || match_prob > 1) @@ -3132,7 +3188,7 @@ have_log = (ipfw_insn *)c; cmd->len = F_INSN_SIZE(ipfw_insn_log); cmd->opcode = O_LOG; - if (ac && !strncmp(*av, "logamount", strlen(*av))) { + if (ac && _substrcmp(*av, "logamount") == 0) { ac--; av++; NEED1("logamount requires argument"); l = atoi(*av); @@ -3193,8 +3249,8 @@ #define CLOSE_PAR \ if (open_par) { \ if (ac && ( \ - !strncmp(*av, ")", strlen(*av)) || \ - !strncmp(*av, "}", strlen(*av)) )) { \ + strcmp(*av, ")") == 0 || \ + strcmp(*av, "}") == 0)) { \ prev = NULL; \ open_par = 0; \ ac--; av++; \ @@ -3203,7 +3259,7 @@ } #define NOT_BLOCK \ - if (ac && !strncmp(*av, "not", strlen(*av))) { \ + if (ac && _substrcmp(*av, "not") == 0) { \ if (cmd->len & F_NOT) \ errx(EX_USAGE, "double \"not\" not allowed\n"); \ cmd->len |= F_NOT; \ @@ -3211,7 +3267,7 @@ } #define OR_BLOCK(target) \ - if (ac && !strncmp(*av, "or", strlen(*av))) { \ + if (ac && _substrcmp(*av, "or") == 0) { \ if (prev == NULL || open_par == 0) \ errx(EX_DATAERR, "invalid OR block"); \ prev->len |= F_OR; \ @@ -3230,8 +3286,8 @@ */ NOT_BLOCK; NEED1("missing protocol"); - if (!strncmp(*av, "MAC", strlen(*av)) || - !strncmp(*av, "mac", strlen(*av))) { + if (_substrcmp(*av, "MAC") == 0 || + _substrcmp(*av, "mac") == 0) { ac--; av++; /* the "MAC" keyword */ add_mac(cmd, ac, av); /* exits in case of errors */ cmd = next_cmd(cmd); @@ -3269,7 +3325,7 @@ /* * "from", mandatory */ - if (!ac || strncmp(*av, "from", strlen(*av))) + if (!ac || _substrcmp(*av, "from") != 0) errx(EX_USAGE, "missing ``from''"); ac--; av++; @@ -3293,7 +3349,7 @@ */ NOT_BLOCK; /* optional "not" */ if (ac) { - if (!strncmp(*av, "any", strlen(*av)) || + if (_substrcmp(*av, "any") == 0 || add_ports(cmd, *av, proto, O_IP_SRCPORT)) { ac--; av++; if (F_LEN(cmd) != 0) @@ -3304,7 +3360,7 @@ /* * "to", mandatory */ - if (!ac || strncmp(*av, "to", strlen(*av))) + if (!ac || _substrcmp(*av, "to") != 0) errx(EX_USAGE, "missing ``to''"); av++; ac--; @@ -3328,7 +3384,7 @@ */ NOT_BLOCK; /* optional "not" */ if (ac) { - if (!strncmp(*av, "any", strlen(*av)) || + if (_substrcmp(*av, "any") == 0 || add_ports(cmd, *av, proto, O_IP_DSTPORT)) { ac--; av++; if (F_LEN(cmd) != 0) @@ -3665,7 +3721,7 @@ case TOK_SRCPORT: NEED1("missing source port"); - if (!strncmp(*av, "any", strlen(*av)) || + if (_substrcmp(*av, "any") == 0 || add_ports(cmd, *av, proto, O_IP_SRCPORT)) { ac--; av++; } else @@ -3674,7 +3730,7 @@ case TOK_DSTPORT: NEED1("missing destination port"); - if (!strncmp(*av, "any", strlen(*av)) || + if (_substrcmp(*av, "any") == 0 || add_ports(cmd, *av, proto, O_IP_DSTPORT)) { ac--; av++; } else @@ -3920,8 +3976,8 @@ } else errx(EX_USAGE, "table number required"); NEED1("table needs command"); - if (strncmp(*av, "add", strlen(*av)) == 0 || - strncmp(*av, "delete", strlen(*av)) == 0) { + if (_substrcmp(*av, "add") == 0 || + _substrcmp(*av, "delete") == 0) { do_add = **av == 'a'; ac--; av++; if (!ac) @@ -3945,10 +4001,10 @@ &ent, sizeof(ent)) < 0) err(EX_OSERR, "setsockopt(IP_FW_TABLE_%s)", do_add ? "ADD" : "DEL"); - } else if (strncmp(*av, "flush", strlen(*av)) == 0) { + } else if (_substrcmp(*av, "flush") == 0) { if (do_cmd(IP_FW_TABLE_FLUSH, &ent.tbl, sizeof(ent.tbl)) < 0) err(EX_OSERR, "setsockopt(IP_FW_TABLE_FLUSH)"); - } else if (strncmp(*av, "list", strlen(*av)) == 0) { + } else if (_substrcmp(*av, "list") == 0) { a = ent.tbl; l = sizeof(a); if (do_cmd(IP_FW_TABLE_GETSIZE, &a, (uintptr_t)&l) < 0) @@ -4160,9 +4216,9 @@ * optional: pipe or queue */ do_pipe = 0; - if (!strncmp(*av, "pipe", strlen(*av))) + if (_substrcmp(*av, "pipe") == 0) do_pipe = 1; - else if (!strncmp(*av, "queue", strlen(*av))) + else if (_substrcmp(*av, "queue") == 0) do_pipe = 2; if (do_pipe) { ac--; @@ -4182,30 +4238,30 @@ av[1] = p; } - if (!strncmp(*av, "add", strlen(*av))) + if (_substrcmp(*av, "add") == 0) add(ac, av); - else if (do_pipe && !strncmp(*av, "config", strlen(*av))) + else if (do_pipe && _substrcmp(*av, "config") == 0) config_pipe(ac, av); - else if (!strncmp(*av, "delete", strlen(*av))) + else if (_substrcmp(*av, "delete") == 0) delete(ac, av); - else if (!strncmp(*av, "flush", strlen(*av))) + else if (_substrcmp(*av, "flush") == 0) flush(do_force); - else if (!strncmp(*av, "zero", strlen(*av))) + else if (_substrcmp(*av, "zero") == 0) zero(ac, av, IP_FW_ZERO); - else if (!strncmp(*av, "resetlog", strlen(*av))) + else if (_substrcmp(*av, "resetlog") == 0) zero(ac, av, IP_FW_RESETLOG); - else if (!strncmp(*av, "print", strlen(*av)) || - !strncmp(*av, "list", strlen(*av))) + else if (_substrcmp(*av, "print") == 0 || + _substrcmp(*av, "list") == 0) list(ac, av, do_acct); - else if (!strncmp(*av, "set", strlen(*av))) + else if (_substrcmp(*av, "set") == 0) sets_handler(ac, av); - else if (!strncmp(*av, "table", strlen(*av))) + else if (_substrcmp(*av, "table") == 0) table_handler(ac, av); - else if (!strncmp(*av, "enable", strlen(*av))) + else if (_substrcmp(*av, "enable") == 0) sysctl_handler(ac, av, 1); - else if (!strncmp(*av, "disable", strlen(*av))) + else if (_substrcmp(*av, "disable") == 0) sysctl_handler(ac, av, 0); - else if (!strncmp(*av, "show", strlen(*av))) + else if (_substrcmp(*av, "show") == 0) list(ac, av, 1 /* show counters */); else errx(EX_USAGE, "bad command `%s'", *av); ==== //depot/user/brooks/ports/slimserver/Makefile#20 - /home/brooks/working/freebsd/p4/ports/slimserver/Makefile ==== @@ -26,7 +26,7 @@ RUN_DEPENDS+= ${SLIM_CPAN_DEPS:S|^|${SITE_PERL}/|:S|:|:${PORTSDIR}/|} .if ${PERL_LEVEL} < 500800 -IGNORE= Need Perl 5.8.x +IGNORE= "Perl 5.8 or newer required. Install lang/perl5.8 and try again." .endif .if ${OSVERSION} < 502110 From owner-freebsd-ipfw@FreeBSD.ORG Fri Jan 7 12:32:00 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86D5E16A4CE for ; Fri, 7 Jan 2005 12:32:00 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 11B1243D45 for ; Fri, 7 Jan 2005 12:32:00 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-208-232.ny325.east.verizon.net [68.160.208.232]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id j07CVqWZ088481 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Jan 2005 07:31:54 -0500 (EST) Message-ID: <41DE810A.1090105@mac.com> Date: Fri, 07 Jan 2005 07:31:06 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brooks Davis References: <20050106215923.GA31004@odin.ac.hmc.edu> In-Reply-To: <20050106215923.GA31004@odin.ac.hmc.edu> X-Enigmail-Version: 0.89.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=1.8 required=5.5 tests=RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pi.codefab.com cc: freebsd-ipfw@freebsd.org Subject: Re: [PATCH] deprecating abrevations in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Jan 2005 12:32:00 -0000 Brooks Davis wrote: > The ipfw program's code is littered with unmaintainable uses of strncmp > to implement abbreviations. The following patch replaces those with > two new functions which simplify the code and produce warnings that the > syntax is deprecated. In a future release, those can be converted to > hard errors and then finally the code can revert to using strcmp. The > intention is to explicitly support a small number of abbreviations that > actually make sense rather then allowing arbitrary shortening of some > words. Excellent, thanks for working on this. For what it's worth, about 95% of this diff applied OK with an offset under 5-STABLE; but two pieces around: *************** *** 1715,1736 **** if (ac == 0) { warnx("missing keyword to enable/disable\n"); - } else if (strncmp(*av, "firewall", strlen(*av)) == 0) { [ ... ] ...and: *************** *** 2991,2997 **** have_log = (ipfw_insn *)c; cmd->len = F_INSN_SIZE(ipfw_insn_log); cmd->opcode = O_LOG; - if (ac && !strncmp(*av, "logamount", strlen(*av))) { ac--; av++; ...needed manual adjustment. The resulting ipfw binary seems to work OK with a simple client-oriented ruleset, but I haven't pushed it very hard yet. Also, at the end of your message there was a unrelated diff...? > ==== //depot/user/brooks/ports/slimserver/Makefile#20 - /home/brooks/working/freebsd/p4/ports/slimserver/Makefile ==== > @@ -26,7 +26,7 @@ > RUN_DEPENDS+= ${SLIM_CPAN_DEPS:S|^|${SITE_PERL}/|:S|:|:${PORTSDIR}/|} [ ... ] -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 13:20:30 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA60B16A4CE for ; Sat, 8 Jan 2005 13:20:30 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FDC343D45 for ; Sat, 8 Jan 2005 13:20:30 +0000 (GMT) (envelope-from heath0504@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so19870wri for ; Sat, 08 Jan 2005 05:20:29 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:from:to:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=AHNGFPFZ5QJP7ZfIq4L0eoVhXluUvyJj4x2U24c8V1uyb6MqiJEqHwqfGwCZpmkRrjU+fZd+NBy1BNUbZ6awK2P8GP5iye3qYnNtr4szTX3871PAnEIKBi15dJOQ5fjgTvLqQQEqLKi66gyNOAGxrzd6d+QA5k6w//wSAO0R/Fo= Received: by 10.54.14.37 with SMTP id 37mr11713wrn; Sat, 08 Jan 2005 05:20:29 -0800 (PST) Received: from linuxlmx20ji5l ([61.59.129.248]) by smtp.gmail.com with ESMTP id 43sm51842wri.2005.01.08.05.20.28; Sat, 08 Jan 2005 05:20:29 -0800 (PST) Message-ID: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> From: "heath, Chia Hui Chen" To: Date: Sat, 8 Jan 2005 21:20:37 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Subject: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 13:20:30 -0000 Hello, I use FreeBSD 5.2.1 as NAT. I wanna limit the 443 port of a computer based on MAC address. So I use ipfw. # ipfw add 500 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx But nothing happens, can anybody tells me why? Thanks for your response. Best Regards, - heath From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 14:43:28 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7FFE16A4CE for ; Sat, 8 Jan 2005 14:43:28 +0000 (GMT) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id 1061D43D46 for ; Sat, 8 Jan 2005 14:43:27 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 36994 invoked from network); 8 Jan 2005 14:43:24 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 8 Jan 2005 14:43:24 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Sat, 8 Jan 2005 15:43:09 +0100 User-Agent: KMail/1.7 References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> In-Reply-To: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200501081543.24318.4711@chello.at> cc: "heath, Chia Hui Chen" Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 14:43:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 08 January 2005 14:20, heath, Chia Hui Chen wrote: > Hello, > I use FreeBSD 5.2.1 as NAT. > I wanna limit the 443 port of a computer based on MAC address. > So I use ipfw. > # ipfw add 500 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx > But nothing happens, can anybody tells me why? Did you set 'sysctl net.link.ether.ipfw=1'? And you mix up layer-2 and layer-3 filtering in your rule (read paragraph "PACKET FLOW" in 'man ipfw'). I think you need to do some magic with skipto rules to make this work: ipfw add 500 skipto 1000 MAC any 00:e0:18:62:xx:xx ipfw add 600 skipto 2000 MAC any any # target of rule 500 ipfw add 1000 deny tcp from any to any 443 # target of rule 600 ipfw add 2000 ... [continue with your normal rules here] It's only an idea how your problem could be solved, I never tested this. Cheers, ch - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB3/GM09WjGjvKU74RAtdgAJwPDu/r9mHU3UvosOub+Ayj7OS07gCfbx1v l0UKt60Joj+ctj2pZzmPxB4= =0rg0 -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 16:14:34 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51BEA16A4CE for ; Sat, 8 Jan 2005 16:14:34 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C2A243D2D for ; Sat, 8 Jan 2005 16:14:33 +0000 (GMT) (envelope-from heath0504@gmail.com) Received: by wproxy.gmail.com with SMTP id 68so604746wri for ; Sat, 08 Jan 2005 08:14:33 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:from:to:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=VuTpZ5gpcm4Z9q/qclewFcY/X/xI8u5C4kmfu3Lfd23m1NpwZ6UVTKE0vcp+F3hvKaiPTk4vW4IsZwAHoL5KRCmq+2tCNjt9d3SDj0oQs306TW15fYzEeiqp1NDdlIN829B8wBpScqDslEzluhOp4sSBIUhrGGEsyf1wWi3Rb4Y= Received: by 10.54.31.64 with SMTP id e64mr50029wre; Sat, 08 Jan 2005 08:14:33 -0800 (PST) Received: from linuxlmx20ji5l ([61.59.129.248]) by smtp.gmail.com with ESMTP id d7sm49394wra.2005.01.08.08.14.31; Sat, 08 Jan 2005 08:14:33 -0800 (PST) Message-ID: <00e401c4f59d$2a4804d0$f8813b3d@linuxlmx20ji5l> From: "heath, Chia Hui Chen" To: References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501081543.24318.4711@chello.at> Date: Sun, 9 Jan 2005 00:14:40 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 16:14:34 -0000 Thanks. I try it, but something wrong. 00050 22484 11388448 divert 8668 ip from any to any via fxp0 00100 4414 2006448 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 52 4053 skipto 1000 ip from any to any MAC any 00:e0:18:62:xx:xx 00600 7008 3465293 skipto 65000 ip from any to any MAC any any 01000 33 1584 deny tcp from any to any dst-port 443 65000 46408 25226370 allow ip from any to any 65535 0 0 deny ip from any to any It looks like all my computer at the NAT are deny to access port 443. Can you plz tell me what's wrong? Thank you again. ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: Cc: "heath, Chia Hui Chen" Sent: Saturday, January 08, 2005 10:43 PM Subject: Re: ipfw + MAC nothing happens? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 08 January 2005 14:20, heath, Chia Hui Chen wrote: > > Hello, > > I use FreeBSD 5.2.1 as NAT. > > I wanna limit the 443 port of a computer based on MAC address. > > So I use ipfw. > > # ipfw add 500 deny tcp from any to any 443 MAC any 00:e0:18:62:xx:xx > > But nothing happens, can anybody tells me why? > > Did you set 'sysctl net.link.ether.ipfw=1'? And you mix up layer-2 and layer-3 > filtering in your rule (read paragraph "PACKET FLOW" in 'man ipfw'). I think > you need to do some magic with skipto rules to make this work: > > ipfw add 500 skipto 1000 MAC any 00:e0:18:62:xx:xx > ipfw add 600 skipto 2000 MAC any any > > # target of rule 500 > ipfw add 1000 deny tcp from any to any 443 > > # target of rule 600 > ipfw add 2000 ... [continue with your normal rules here] > > It's only an idea how your problem could be solved, I never tested this. > > Cheers, > ch > > - -- > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (FreeBSD) > > iD8DBQFB3/GM09WjGjvKU74RAtdgAJwPDu/r9mHU3UvosOub+Ayj7OS07gCfbx1v > l0UKt60Joj+ctj2pZzmPxB4= > =0rg0 > -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 16:46:47 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 910C616A4CE for ; Sat, 8 Jan 2005 16:46:47 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BD4E43D31 for ; Sat, 8 Jan 2005 16:46:47 +0000 (GMT) (envelope-from heath0504@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so29180wri for ; Sat, 08 Jan 2005 08:46:46 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:from:to:cc:references:subject:date:mime-version:content-type:content-transfer-encoding:x-priority:x-msmail-priority:x-mailer:x-mimeole; b=Yzm4bZGGMcD7BuJE17rBSzA1BusN9WSwFDUZvnyBnDQIXTkEfrcD04PhczDh23+gZ/Mzxof+0y/8RSOJ1DnL1nuXiPhisWIVjMniSs1R1yHNyHt6q607/b4EMTvDFOodk/Vs0rZ1H+5bQDUiX7REkrTNFlD6yO1V3X/ZQH2GpP4= Received: by 10.54.14.37 with SMTP id 37mr73523wrn; Sat, 08 Jan 2005 08:46:46 -0800 (PST) Received: from linuxlmx20ji5l ([61.59.129.248]) by smtp.gmail.com with ESMTP id d6sm387973wra.2005.01.08.08.46.44; Sat, 08 Jan 2005 08:46:46 -0800 (PST) Message-ID: <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> From: "heath, Chia Hui Chen" To: "Christian Hiris" <4711@chello.at> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501081543.24318.4711@chello.at> <00ca01c4f59a$c32e0bc0$f8813b3d@linuxlmx20ji5l> <200501081721.37351.4711@chello.at> Date: Sun, 9 Jan 2005 00:46:53 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 16:46:47 -0000 It's strange. I use two computer to test. One called A (00:e0:18:62:xx:xx) another called B. And the rulesets is same as you said. I try reboot and use A to connect port 443 of one site. IPFW output are below: ============================================================ 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx 00020 2273 1136464 skipto 50 ip from any to any MAC any any 00030 3 144 deny tcp from any to any dst-port 443 00050 3476 1000174 divert 8668 ip from any to any via fxp0 00100 420 109610 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 8022 3082293 allow ip from any to any 65535 1 89 deny ip from any to any ============================================================ And then I test it by using computer B. Output is as below: ============================================================ 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx 00020 4246 1931785 skipto 50 ip from any to any MAC any any 00030 6 288 deny tcp from any to any dst-port 443 00050 4699 1427090 divert 8668 ip from any to any via fxp0 00100 658 147594 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 11953 4671673 allow ip from any to any 65535 1 89 deny ip from any to any ============================================================ It seems that rule 20 is active, but rule 30 is active, too. What would I do next? I'm sorry to bother you, but could you help me again? Thanx! ----- Original Message ----- From: "Christian Hiris" <4711@chello.at> To: "heath, Chia Hui Chen" Sent: Sunday, January 09, 2005 12:21 AM Subject: Re: ipfw + MAC nothing happens? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Saturday 08 January 2005 16:57, heath, Chia Hui Chen wrote: > > Thanks. > > I try it, but something wrong. > > I would try to put the respective rules on top: > > ipfw add 10 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > ipfw add 20 skipto 50 ip from any to any MAC any any > ipfw add 30 deny tcp from any to any dst-port 443 > > 00050 divert 8668 ip from any to any via fxp0 > 00100 ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 deny ip from any to any > > If this also doesn't work, please post your ipfw output again. > > > > 00050 22484 11388448 divert 8668 ip from any to any via fxp0 > > 00100 4414 2006448 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > 00400 52 4053 skipto 1000 ip from any to any MAC any > > 00:e0:18:62:xx:xx > > 00600 7008 3465293 skipto 65000 ip from any to any MAC any any > > 01000 33 1584 deny tcp from any to any dst-port 443 > > 65000 46408 25226370 allow ip from any to any > > 65535 0 0 deny ip from any to any > > > > It looks like all my computer at the NAT are deny to access port 443. > > Can you plz tell me what's wrong? > > Thank you again. > > - -- > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (FreeBSD) > > iD8DBQFB4AiR09WjGjvKU74RAiShAJ9EnhROvbpSm61CXXxsNgLeCspPDgCdET99 > xDxxjHfo2Y9n17w3S7p+9xY= > =eqfj > -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 21:15:26 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 460A716A583 for ; Sat, 8 Jan 2005 21:15:26 +0000 (GMT) Received: from r2d2.bromirski.net (r2d2.bromirski.net [217.153.57.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7263943D48 for ; Sat, 8 Jan 2005 21:15:25 +0000 (GMT) (envelope-from lbromirski@mr0vka.eu.org) Received: from [127.0.0.1] (shield.wesola.pl [62.111.150.246]) by r2d2.bromirski.net (Postfix) with ESMTP id E65C3108D66 for ; Sat, 8 Jan 2005 22:15:22 +0100 (CET) Message-ID: <41E04D6B.3020801@mr0vka.eu.org> Date: Sat, 08 Jan 2005 22:15:23 +0100 From: =?ISO-8859-2?Q?=A3ukasz_Bromirski?= User-Agent: Mozilla Thunderbird 1.0 (Windows/20041205) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 8bit X-Scan-Module: SMTP[mks_vir 2005.01.07 (2004.10.07)] Subject: ipfw/verrevpath and source MAC logging - reloaded X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 21:15:26 -0000 Hi, I've asked few days ago (two weeks actually), about implementing something like `log-input' keyword just like on Cisco IOS routers, when the ACE with this argument is hit it logs also the source MAC address, which is very valuable on multiaccess networks, like Ethernet. As nobody responded, I've digged the sources for a moment, and with my limited knowledge about mbuf's I'm stuck at the following comment: ip_fw2.c: * args->eh The MAC header. It is non-null for a layer2 * packet, it is NULL for a layer-3 packet. ...so, is there some good soul on the list that will point me where to look for MAC source address when we're dealing with `layer 3 packet' in ipfw nomenclature? -- this space was intentionally left blank | Łukasz Bromirski you can insert your favourite quote here | lukasz:bromirski,net From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 21:36:28 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 308E516A4CE for ; Sat, 8 Jan 2005 21:36:28 +0000 (GMT) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id 9378C43D48 for ; Sat, 8 Jan 2005 21:36:26 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 38893 invoked from network); 8 Jan 2005 21:36:25 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 8 Jan 2005 21:36:25 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Sat, 8 Jan 2005 22:36:09 +0100 User-Agent: KMail/1.7 References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501081721.37351.4711@chello.at> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> In-Reply-To: <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200501082236.24796.4711@chello.at> cc: "heath, Chia Hui Chen" Subject: Re: ipfw + MAC nothing happens? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 21:36:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 08 January 2005 17:46, heath, Chia Hui Chen wrote: > It's strange. > I use two computer to test. > One called A (00:e0:18:62:xx:xx) > another called B. > > And the rulesets is same as you said. > I try reboot and use A to connect port 443 of one site. > IPFW output are below: > ============================================================ The diverted packets are not layer-2 packets, so they must be able to bypass the layer-2 rules. In our case all diverted packets match rule 30, because none of the two layer-2 rules (10 and 20) applies. So please add the rule below to your ruleset. If this doesn't work, I will try to reproduce this on one of my boxes. ipfw add 9 skipto 50 all from any to any not layer2 > 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > 00020 2273 1136464 skipto 50 ip from any to any MAC any any > 00030 3 144 deny tcp from any to any dst-port 443 > 00050 3476 1000174 divert 8668 ip from any to any via fxp0 > 00100 420 109610 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 8022 3082293 allow ip from any to any > 65535 1 89 deny ip from any to any > ============================================================ > > And then I test it by using computer B. > Output is as below: > > ============================================================ > 00010 4 190 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > 00020 4246 1931785 skipto 50 ip from any to any MAC any any > 00030 6 288 deny tcp from any to any dst-port 443 > 00050 4699 1427090 divert 8668 ip from any to any via fxp0 > 00100 658 147594 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 65000 11953 4671673 allow ip from any to any > 65535 1 89 deny ip from any to any > ============================================================ > It seems that rule 20 is active, but rule 30 is active, too. > What would I do next? > I'm sorry to bother you, but could you help me again? > Thanx! > > ----- Original Message ----- > From: "Christian Hiris" <4711@chello.at> > To: "heath, Chia Hui Chen" > Sent: Sunday, January 09, 2005 12:21 AM > Subject: Re: ipfw + MAC nothing happens? > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Saturday 08 January 2005 16:57, heath, Chia Hui Chen wrote: > > > Thanks. > > > I try it, but something wrong. > > > > I would try to put the respective rules on top: > > > > ipfw add 10 skipto 30 ip from any to any MAC any 00:e0:18:62:xx:xx > > ipfw add 20 skipto 50 ip from any to any MAC any any > > ipfw add 30 deny tcp from any to any dst-port 443 > > > > 00050 divert 8668 ip from any to any via fxp0 > > 00100 ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 65000 allow ip from any to any > > 65535 deny ip from any to any > > > > If this also doesn't work, please post your ipfw output again. > > > > > 00050 22484 11388448 divert 8668 ip from any to any via fxp0 > > > 00100 4414 2006448 allow ip from any to any via lo0 > > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > > 00300 0 0 deny ip from 127.0.0.0/8 to any > > > 00400 52 4053 skipto 1000 ip from any to any MAC any > > > 00:e0:18:62:xx:xx > > > 00600 7008 3465293 skipto 65000 ip from any to any MAC any any > > > 01000 33 1584 deny tcp from any to any dst-port 443 > > > 65000 46408 25226370 allow ip from any to any > > > 65535 0 0 deny ip from any to any > > > > > > It looks like all my computer at the NAT are deny to access port 443. > > > Can you plz tell me what's wrong? > > > Thank you again. > > > > - -- > > Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE > > OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.6 (FreeBSD) > > > > iD8DBQFB4AiR09WjGjvKU74RAiShAJ9EnhROvbpSm61CXXxsNgLeCspPDgCdET99 > > xDxxjHfo2Y9n17w3S7p+9xY= > > =eqfj > > -----END PGP SIGNATURE----- > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" - -- Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB4FJY09WjGjvKU74RAkkJAJ9Sb64T/iqGBhcRHVIc/CSgXLEkSACfQcxE 5LyuPZoRoHmL8cYXvO4hf8M= =Kp2k -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Sat Jan 8 21:59:24 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 962B516A4CE for ; Sat, 8 Jan 2005 21:59:24 +0000 (GMT) Received: from smtpauth08.mail.atl.earthlink.net (smtpauth08.mail.atl.earthlink.net [209.86.89.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30FAA43D49 for ; Sat, 8 Jan 2005 21:59:24 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.1.55]) (TLSv1:DES-CBC3-SHA:168) (Exim 4.34) id 1CnOcE-0002iz-0Y; Sat, 08 Jan 2005 16:59:23 -0500 DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=test1; d=earthlink.net; h=Subject:From:Reply-To:To:Cc:In-Reply-To:References:Content-Type:Organization:Message-Id:Mime-Version:X-Mailer:Date:Content-Transfer-Encoding; b=ldZFVB+alF4TN0yUy+Nwzi5kxYT+PewphOuRaUZXWvioT+Gd0hoivPikP449go9O; From: Martes Wigglesworth To: Christian Hiris <4711@chello.at> In-Reply-To: <200501082236.24796.4711@chello.at> References: <007101c4f584$d9a7fd90$f8813b3d@linuxlmx20ji5l> <200501081721.37351.4711@chello.at> <010b01c4f5a1$aaa730c0$f8813b3d@linuxlmx20ji5l> <200501082236.24796.4711@chello.at> Content-Type: text/plain Organization: Wiggtekmicro Corporation Message-Id: <1105221596.683.387.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sun, 09 Jan 2005 00:59:56 +0300 Content-Transfer-Encoding: 7bit X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48919b7f5ff4fb2401afcc1c54b079c6ea89663e5c6b578e64350badd9bab72f9c X-Originating-IP: 83.170.20.46 cc: ipfw-mailings cc: "heath, Chia Hui Chen" Subject: Re: Viable FreeBSD Network Access Server projects...? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Jan 2005 21:59:24 -0000 Also, to supply, 56K service, would I be able to use the multi-modem approach, or do I need to have the DSL with digital "modems" and all that jazz? I am reading about the digital "RAS" setups, and all the info sites that I am using seem to fall off, just after the analog explanations. They seem to have a good definition of the RAS system however, they fail to demonstrate how one may build one, using the digital cards, to service analog dialup traffic. -- Respectfully, M.G.W. System: PCChips K7SOM MB AMD K7 Pro 1800 256MB RAM 40GB HD 10/100 NIC FreeBSD-5.2.1-RELEASE