From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 19 11:02:56 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDA3216A4C7 for ; Mon, 19 Jun 2006 11:02:56 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6DB2D43D46 for ; Mon, 19 Jun 2006 11:02:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k5JB2uhH064200 for ; Mon, 19 Jun 2006 11:02:56 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k5JB2tGk064196 for freebsd-ipfw@freebsd.org; Mon, 19 Jun 2006 11:02:55 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 19 Jun 2006 11:02:55 GMT Message-Id: <200606191102.k5JB2tGk064196@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jun 2006 11:02:56 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v o [2006/05/19] kern/97504 ipfw [ipfw] IPFW Rules bug o [2006/05/26] kern/97951 ipfw [patch] ipfw does not tie interface detai o [2006/06/11] kern/98831 ipfw [ipfw] ipfw has UDP hickups 12 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo 19 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 21 09:58:55 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55B2616A526; Wed, 21 Jun 2006 09:58:55 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1796943D96; Wed, 21 Jun 2006 09:58:51 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id B09C6866C; Wed, 21 Jun 2006 11:58:50 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 6F03C9C3C5; Wed, 21 Jun 2006 09:59:20 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 5EB3D40A5; Wed, 21 Jun 2006 11:41:05 +0200 (CEST) Date: Wed, 21 Jun 2006 11:41:04 +0200 From: Jeremie Le Hen To: "Andrey V. Elsukov" Message-ID: <20060621094104.GB7019@obiwan.tataz.chchile.org> References: <44618B0A.60504@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44618B0A.60504@yandex.ru> User-Agent: Mutt/1.5.11 Cc: freebsd-net@freebsd.org, Julian Elischer , freebsd-ipfw@freebsd.org Subject: Re: [fbsd] [patch] ipfw packet tagging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 09:58:55 -0000 Hi Andrey, On Wed, May 10, 2006 at 10:41:14AM +0400, Andrey V. Elsukov wrote: > Hi, All! > > I have written a small patch for a packets > tagging with ipfw. > > The description of OpenBSD packet tagging is here: > http://www.openbsd.org/faq/pf/tagging.html > > An IPFW tags is not compatible with PF tags. > > This feature can be usable with some netgraph modules. > We can create a netgraph node that marks packets with some tags > and use this node with other nodes. IPFW can detect and filter > packets with tags. > > Also we can mark packets before NAT and detect tagged packets > after translation. > NAT based on divert sockets do not allow this, but i think > ng_nat can.. > > Patches can be found here: > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ Looking at the patch lets me see that you are using the generic mbuf tags. This means the tag should be available along the packet's trip through the kernel. Would it be possible to slightly modify the routing code in order to make those tags a routing criteria ? Julian Elischer also has a neat patch that modifies the ipfw table but he hasn't provided it so far [1]. [1] http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010563.html Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 21 10:10:42 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D62D16A492; Wed, 21 Jun 2006 10:10:42 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8764243D78; Wed, 21 Jun 2006 10:10:39 +0000 (GMT) (envelope-from vadimnuclight@tpu.ru) Received: by relay1.tpu.ru (Postfix, from userid 501) id 965D21C806E; Wed, 21 Jun 2006 17:10:37 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 6CC9510D8D2; Wed, 21 Jun 2006 17:10:37 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830); Wed, 21 Jun 2006 17:10:37 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Wed, 21 Jun 2006 17:10:36 +0700 To: "Jeremie Le Hen" , "Andrey V. Elsukov" References: <44618B0A.60504@yandex.ru> <20060621094104.GB7019@obiwan.tataz.chchile.org> Message-ID: Date: Wed, 21 Jun 2006 17:09:42 +0700 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In-Reply-To: <20060621094104.GB7019@obiwan.tataz.chchile.org> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 21 Jun 2006 10:10:36.0812 (UTC) FILETIME=[F0CA5CC0:01C6951A] Cc: freebsd-net@freebsd.org, Julian Elischer , freebsd-ipfw@freebsd.org Subject: Re: [fbsd] [patch] ipfw packet tagging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 10:10:42 -0000 21.06.06 @ 16:41 Jeremie Le Hen wrote: > Looking at the patch lets me see that you are using the generic mbuf > tags. This means the tag should be available along the packet's > trip through the kernel. Would it be possible to slightly modify > the routing code in order to make those tags a routing criteria ? > > Julian Elischer also has a neat patch that modifies the ipfw table > but he hasn't provided it so far [1]. > > [1] http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010563.html The ipfw packet tagging patch was committed to src tree and will be MFCed to RELENG_6 about this weekend. I am currently working on ng_tag(4) netgraph node which could deal with tags (see http://antigreen.org/vadim/freebsd/ng_tag/) - I think, in theory it is possible to tag-based routing inside netgraph onto netgraph interfaces. -- WBR, Vadim Goncharov From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 21 10:20:43 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF6F316A580; Wed, 21 Jun 2006 10:20:43 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mx18.yandex.ru (smtp2.yandex.ru [213.180.200.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5298043D72; Wed, 21 Jun 2006 10:20:41 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from mail.kirov.so-cdu.ru ([81.18.142.225]:274 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S3378103AbWFUKUk (ORCPT + 1 other); Wed, 21 Jun 2006 14:20:40 +0400 X-Comment: RFC 2476 MSA function at smtp2.yandex.ru logged sender identity as: bu7cher Message-ID: <44991D76.9010809@yandex.ru> Date: Wed, 21 Jun 2006 14:20:38 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Jeremie Le Hen References: <44618B0A.60504@yandex.ru> <20060621094104.GB7019@obiwan.tataz.chchile.org> In-Reply-To: <20060621094104.GB7019@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Julian Elischer , freebsd-ipfw@freebsd.org Subject: Re: [fbsd] [patch] ipfw packet tagging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 10:20:44 -0000 Jeremie Le Hen wrote: > trip through the kernel. Would it be possible to slightly modify > the routing code in order to make those tags a routing criteria ? You can use tags with a fwd rules, like a: # ipfw add fwd $gw_addr ip from any to any tagged $N And as i know, oleg@ has committed a new patch that uses a tableargs feature with ipfw_tags to CURRENT: http://docs.freebsd.org/cgi/mid.cgi?200606150939.k5F9dMrB019958 -- WBR, Andrey V. Elsukov