From owner-freebsd-ipfw@FreeBSD.ORG Mon May 28 11:08:28 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3B31116A421 for ; Mon, 28 May 2007 11:08:28 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 1900713C45A for ; Mon, 28 May 2007 11:08:28 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4SB8RVI068496 for ; Mon, 28 May 2007 11:08:27 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4SB8QOk068492 for freebsd-ipfw@FreeBSD.org; Mon, 28 May 2007 11:08:26 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 May 2007 11:08:26 GMT Message-Id: <200705281108.l4SB8QOk068492@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 11:08:28 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp p bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw ipfw fwd does not work with some TCP packets 23 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue May 29 08:33:41 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CF5C816A47F for ; Tue, 29 May 2007 08:33:41 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.freebsd.org (Postfix) with ESMTP id 5720713C4B9 for ; Tue, 29 May 2007 08:33:41 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from [192.168.2.10] ([192.168.2.10]) by mail1.cil.se with Microsoft SMTPSVC(6.0.3790.1830); Tue, 29 May 2007 10:21:36 +0200 Message-ID: <465BE2E8.50908@ide.resurscentrum.se> Date: Tue, 29 May 2007 10:23:04 +0200 From: Jon Otterholm User-Agent: Thunderbird 1.5.0.9 (X11/20070131) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 May 2007 08:21:36.0303 (UTC) FILETIME=[5F9E63F0:01C7A1CA] Subject: Limit Ethernet Broadcast X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 08:33:41 -0000 Hi. I am trying to limit traffic to the Ethernet broadcast address (ff:ff:ff:ff:ff:ff). I am running IPFW on a if_bridge(4) and don't want clients from member if's to be able to send ethernet broadcasts to each other. The router itself though should be able to send traffic to the Ethernet Broadcast address and clients should be able to send traffic to the router destined for Ethernet Broadcast address. Accordingly to man pages I cannot use the "me" statement as this only applies to IP-addresses configured on the local system, my if's don't have IP-addresses configured. Only the bridge itself has an IP-address. Config: bridge0: flags=8843 mtu 1500 inet X.X.X.X netmask 0xffffff80 broadcast X.X.X.X ether 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 member: em0.10 flags=1 member: em0.20 flags=1 Summary (no valid IPFW-config, just to illustrate): allow from router to ff:ff:ff:ff:ff:ff allow from em0.* to router MAC ff:ff:ff:ff:ff:ff any deny from em0.* to em0.* MAC ff:ff:ff:ff:ff:ff any Is this doable? //Jon From owner-freebsd-ipfw@FreeBSD.ORG Tue May 29 12:46:24 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 142CF16A400; Tue, 29 May 2007 12:46:24 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp3.yandex.ru (smtp3.yandex.ru [213.180.200.14]) by mx1.freebsd.org (Postfix) with ESMTP id 2A19513C43E; Tue, 29 May 2007 12:46:22 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:1014 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S4748447AbXE2MqH (ORCPT + 2 others); Tue, 29 May 2007 16:46:07 +0400 X-Comment: RFC 2476 MSA function at smtp3.yandex.ru logged sender identity as: bu7cher Message-ID: <465C208D.4080205@yandex.ru> Date: Tue, 29 May 2007 16:46:05 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Maxim Konovalov , Luigi Rizzo , Oleg Bulyzhin , Julian Elischer Subject: [ipfw][patch] manipulation with rules within a specified sets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 12:46:24 -0000 Hi, All. I've wrote a small patch for the ipfw2. http://butcher.heavennet.ru/patches/kernel/ipfw_sets/ It allow use following commands: # ipfw set N show list all rules only from set N. # ipfw set N delete M delete rules with number M from set N. What you think about it? Several guys ask me for implement a "delete rules by template" (text of rule), like a cisco-way (no ). What you think about that? -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Wed May 30 02:10:48 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 46B7416A46B for ; Wed, 30 May 2007 02:10:48 +0000 (UTC) (envelope-from lahcim@fajne.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 9D9BF13C455 for ; Wed, 30 May 2007 02:10:47 +0000 (UTC) (envelope-from lahcim@fajne.com) Received: by ug-out-1314.google.com with SMTP id u2so82288uge for ; Tue, 29 May 2007 19:10:46 -0700 (PDT) Received: by 10.82.177.3 with SMTP id z3mr13491596bue.1180489382815; Tue, 29 May 2007 18:43:02 -0700 (PDT) Received: from ANTARESPC ( [72.14.240.140]) by mx.google.com with ESMTP id 35sm49302nfu.2007.05.29.18.42.58; Tue, 29 May 2007 18:43:00 -0700 (PDT) From: "Michal Zygmunt" To: "'Remko Lodder'" References: <34515DB3553C4F9E94A9649ABFF9FE71@ANTARESPC> <465C9BF5.8040302@elvandar.org> In-Reply-To: <465C9BF5.8040302@elvandar.org> Date: Wed, 30 May 2007 03:42:48 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6000.16386 Thread-Index: AceiOL3TnHwQfaQdRGmi9Tmz6KsFiAAIpjVQ Cc: freebsd-bugs@freebsd.org, ipfw@freebsd.org Subject: RE: page fault while in kernel-mode (dummynet) - amd64 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 02:10:48 -0000 Hi Remko, I am providing coredump: http://www.lahcim.net/dump.tgz And some additional dmesg info that can be useful Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x28 fault code = supervisor write data, page not present instruction pointer = 0x8:0xffffffff805841d5 stack pointer = 0x10:0xffffffffb1c11b10 frame pointer = 0x10:0xffffff004d65e200 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 43 (dummynet) trap number = 12 panic: page fault cpuid = 0 Uptime: 5h38m15s Dumping 2021 MB (4 chunks) chunk 0: 1MB (156 pages) ... ok chunk 1: 2021MB (517274 pages) 2005 1989 1973 1957 1941 1925 1909 1893 1877 1861 1845 1829 1813 1797 1781 1765 1749 1733 1717 1701 1685 1669 1653 1637 1621 1605 1589 1573 1557 1541 1525 1509 1493 1477 1461 1445 1429 1413 1397 1381 1365 1349 1333 1317 1301 1285 1269 1253 1237 1221 1205 1189 1173 1157 1141 1125 1109 1093 1077 1061 1045 1029 1013 997 981 965 949 933 917 901 885 869 853 837 821 805 789 773 757 741 725 709 693 677 661 645 629 613 597 581 565 549 533 517 501 485 469 453 437 421 405 389 373 357 341 325 309 293 277 261 245 229 213 197 181 165 149 133 117 101 85 69 53 37 21 5 ... ok chunk 2: 1MB (149 pages) ... ok chunk 3: 1MB (1 pages) ... ok Dump complete Automatic reboot in 16 seconds - press a key on the console to abort Rebooting... cpu_reset: Stopping other CPUs Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 6.2-STABLE #1: Sun May 27 23:28:12 CEST 2007 root@plustech.pl:/usr/obj/usr/src/sys/GTT WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant WARNING: MPSAFE network stack disabled, expect reduced performance. Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz (2404.82-MHz K8-class CPU) Origin = "GenuineIntel" Id = 0x6f6 Stepping = 6 Features=0xbfebfbff Features2=0xe3bd,CX16,XTPR,> AMD Features=0x20100800 AMD Features2=0x1 Cores per package: 2 real memory = 2120462336 (2022 MB) avail memory = 2034073600 (1939 MB) ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 ioapic0: Changing APIC ID to 2 ioapic0 irqs 0-23 on motherboard wlan: mac acl policy registered kbd1 at kbdmux0 netsmb_dev: loaded ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 cpu0: on acpi0 acpi_perf0: on cpu0 acpi_perf0: failed in PERF_STATUS attach device_attach: acpi_perf0 attach returned 6 acpi_perf0: on cpu0 acpi_perf0: failed in PERF_STATUS attach device_attach: acpi_perf0 attach returned 6 acpi_throttle0: on cpu0 cpu1: on acpi0 acpi_perf1: on cpu1 acpi_perf1: failed in PERF_STATUS attach device_attach: acpi_perf1 attach returned 6 acpi_perf1: on cpu1 acpi_perf1: failed in PERF_STATUS attach device_attach: acpi_perf1 attach returned 6 acpi_throttle1: on cpu1 acpi_throttle1: failed to attach P_CNT device_attach: acpi_throttle1 attach returned 6 acpi_button0: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pci0: at device 2.0 (no driver attached) pci0: at device 3.0 (no driver attached) em0: port 0x30c0-0x30df mem 0x90500000-0x9051ffff,0x90524000-0x90524fff irq 20 at device 25.0 on pci0 em0: Ethernet address: 00:19:d1:79:cf:bf em0: [GIANT-LOCKED] uhci0: port 0x30a0-0x30bf irq 16 at device 26.0 on pci0 uhci0: [GIANT-LOCKED] usb0: on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: port 0x3080-0x309f irq 21 at device 26.1 on pci0 uhci1: [GIANT-LOCKED] usb1: on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered ehci0: mem 0x90525400-0x905257ff irq 18 at device 26.7 on pci0 ehci0: [GIANT-LOCKED] usb2: EHCI version 1.0 usb2: companion controllers, 2 ports each: usb0 usb1 usb2: on ehci0 usb2: USB revision 2.0 uhub2: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered pci0: at device 27.0 (no driver attached) pcib1: at device 28.0 on pci0 pci1: on pcib1 pcib2: at device 28.1 on pci0 pci2: on pcib2 atapci0: port 0x2018-0x201f,0x2024-0x2027,0x2010-0x2017,0x2020-0x2023,0x2000-0x200f mem 0x90300000-0x903001ff irq 17 at device 0.0 on pci2 ata2: on atapci0 ata3: on atapci0 pcib3: at device 28.2 on pci0 pci3: on pcib3 pcib4: at device 28.3 on pci0 pci4: on pcib4 pcib5: at device 28.4 on pci0 pci5: on pcib5 uhci2: port 0x3060-0x307f irq 23 at device 29.0 on pci0 uhci2: [GIANT-LOCKED] usb3: on uhci2 usb3: USB revision 1.0 uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered uhci3: port 0x3040-0x305f irq 19 at device 29.1 on pci0 uhci3: [GIANT-LOCKED] usb4: on uhci3 usb4: USB revision 1.0 uhub4: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub4: 2 ports with 2 removable, self powered uhci4: port 0x3020-0x303f irq 18 at device 29.2 on pci0 uhci4: [GIANT-LOCKED] usb5: on uhci4 usb5: USB revision 1.0 uhub5: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub5: 2 ports with 2 removable, self powered ehci1: mem 0x90525000-0x905253ff irq 23 at device 29.7 on pci0 ehci1: [GIANT-LOCKED] usb6: EHCI version 1.0 usb6: companion controllers, 2 ports each: usb3 usb4 usb5 usb6: on ehci1 usb6: USB revision 2.0 uhub6: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub6: 6 ports with 6 removable, self powered pcib6: at device 30.0 on pci0 pci6: on pcib6 fxp0: port 0x1000-0x101f mem 0x90000000-0x90000fff,0x90100000-0x901fffff irq 21 at device 0.0 on pci6 miibus0: on fxp0 inphy0: on miibus0 inphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fxp0: Ethernet address: 00:08:c7:8c:96:06 fxp0: [GIANT-LOCKED] atapci1: port 0x1038-0x103f,0x1044-0x1047,0x1030-0x1037,0x1040-0x1043,0x1020-0x102f irq 22 at device 1.0 on pci6 ata4: on atapci1 ata5: on atapci1 fwohci0: mem 0x90204000-0x902047ff,0x90200000-0x90203fff irq 19 at device 3.0 on pci6 fwohci0: [GIANT-LOCKED] fwohci0: OHCI version 1.10 (ROM=0) fwohci0: No. of Isochronous channels is 4. fwohci0: EUI64 00:90:27:00:01:c9:fa:f9 fwohci0: Phy 1394a available S400, 2 ports. fwohci0: Link S400, max_rec 2048 bytes. firewire0: on fwohci0 fwe0: on firewire0 if_fwe0: Fake Ethernet address: 02:90:27:c9:fa:f9 fwe0: Ethernet address: 02:90:27:c9:fa:f9 sbp0: on firewire0 fwohci0: Initiate bus reset fwohci0: BUS reset fwohci0: node_id=0xc800ffc0, gen=1, CYCLEMASTER mode firewire0: 1 nodes, maxhop <= 0, cable IRM = 0 (me) firewire0: bus manager 0 (me) isab0: at device 31.0 on pci0 isa0: on isab0 atapci2: port 0x3138-0x313f,0x3154-0x3157,0x3130-0x3137,0x3150-0x3153,0x3110-0x311f,0x3100 -0x310f irq 19 at device 31.2 on pci0 ata6: on atapci2 ata7: on atapci2 pci0: at device 31.3 (no driver attached) atapci3: port 0x3128-0x312f,0x314c-0x314f,0x3120-0x3127,0x3148-0x314b,0x30f0-0x30ff,0x30e0 -0x30ef irq 19 at device 31.5 on pci0 ata8: on atapci3 ata9: on atapci3 ppc0: port 0x378-0x37f,0x778-0x77f irq 7 on acpi0 ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold ppbus0: on ppc0 plip0: on ppbus0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A orm0: at iomem 0xc0000-0xcafff,0xcb000-0xcbfff,0xcc000-0xcc7ff,0xce800-0xcf7ff on isa0 atkbdc0: at port 0x60,0x64 on isa0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounters tick every 1.000 msec fwe0f0: Ethernet address: 02:90:27:c9:fa:f9 fwe0f1: Ethernet address: 02:90:27:c9:fa:f9 fwe0f2: Ethernet address: 02:90:27:c9:fa:f9 fwe0f3: Ethernet address: 02:90:27:c9:fa:f9 fxp0f0: Ethernet address: 00:08:c7:8c:96:06 fxp0f1: Ethernet address: 00:08:c7:8c:96:06 fxp0f2: Ethernet address: 00:08:c7:8c:96:06 fxp0f3: Ethernet address: 00:08:c7:8c:96:06 em0f0: Ethernet address: 00:19:d1:79:cf:bf em0f1: Ethernet address: 00:19:d1:79:cf:bf em0f2: Ethernet address: 00:19:d1:79:cf:bf em0f3: Ethernet address: 00:19:d1:79:cf:bf IPv6 packet filtering initialized, default to accept, logging limited to 100 packets/entry IPsec: Initialized Security Association Processing. IP Filter: v4.1.13 initialized. Default = pass all, Logging = enabled ipfw2 (+ipv6) initialized, divert enabled, rule-based forwarding enabled, default to accept, logging limited to 100 packets/entry by default ad8: 190782MB at ata4-master UDMA100 ad10: 76318MB at ata5-master UDMA100 ad12: 305245MB at ata6-master SATA150 SMP: AP CPU #1 Launched! P.S. I added ipfw@freebsd.org as CC but I am not subscribed to that list so I am not sure if this mail will be delivered properly to that list. If you will need any other dumps, let me know. Thanks, Michal Zygmunt -----Original Message----- From: Remko Lodder [mailto:remko@elvandar.org] Sent: Tuesday, May 29, 2007 11:33 PM To: Michal Zygmunt Cc: freebsd-bugs@freebsd.org Subject: Re: page fault while in kernel-mode (dummynet) - amd64 Michal Zygmunt wrote: > Hi, > > > > It seems that there is some problem with dummynet implementation and > happened on amd64 build > > > hello, The information you provided is not nearly enough to get started {sorry}, please see the developers handbook for more information http://www.freebsd.org/doc/en/books/developers-handbook on how to obtain the proper kernel dump that can be processed by our developers. Also please consider using ipfw@FreeBSD.org for this report since it would most likely get better attention there {special ipfw mailinglist which seems more appropriate}. Thanks for using FreeBSD!! -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */ From owner-freebsd-ipfw@FreeBSD.ORG Thu May 31 15:27:29 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4E19B16A421 for ; Thu, 31 May 2007 15:27:29 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.freebsd.org (Postfix) with SMTP id 7C72313C46C for ; Thu, 31 May 2007 15:27:28 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 41202 invoked from network); 31 May 2007 12:27:48 -0300 Received: by simscan 1.1.0 ppid: 41195, pid: 41196, t: 0.6168s scanners: clamav: 0.90.2/m:43/d:3087 spam: 3.1.1 X-Spam-Checker-Version: SpamAssassin: -last, FreeBSD Brasil LTDA rulesets: Yes X-Spam-Status: No, hits=-2.2 required=3.7 Received: from unknown (HELO ?10.69.69.69?) (201.58.77.190) by capeta.freebsdbrasil.com.br with SMTP; 31 May 2007 12:27:47 -0300 Message-ID: <465EE95D.70709@freebsdbrasil.com.br> Date: Thu, 31 May 2007 12:27:25 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Thunderbird 1.5.0.9 (X11/20070131) MIME-Version: 1.0 To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: IPFW/natd/prob load balancing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2007 15:27:29 -0000 Hello, I have a friend who wishes very much to do load balancing with IPFW and natd, and he doesnt want to do so using PF. Also, he needs arbitrary balancing, not round-robin, but instead to choose "X%" for one link and the rest to the other. It cant be done for a number of reasons. First of, natd cant run attached to more than one interface. Instead, we need to run natd(8) instances, which are independent. If natd instances could work be aware of each other, maybe a hacker could add the balancing feature to it. So I decided to give ipfw+prob a try, and try to help him out. I could get to some point, but got stucked, and cant help anymore. The psuedo-firewall (just a fragment of rules) I am using is: # fw="/sbin/ipfw" ife="vr0" ife2="vr1" ife2_gw="201.86.82.1" ife2_me="201.86.82.2" rede_i="10.84.0.0/16" # # # $fw -f flush $fw add prob 0.3 divert 8669 tcp from $rede_i to any out via $ife setup $fw add prob 0.3 divert 8669 tcp from $rede_i to any out via $ife not setup $fw add prob 0.3 divert 8669 { udp or icmp } from $rede_i to any out via $ife $fw add fwd $ife2_gw all from $ife2_me to any out $fw add divert 8669 all from any to any in via $ife2 $fw add divert 8668 tcp from $rede_i to any out via $ife setup $fw add divert 8668 tcp from $rede_i to any out via $ife not setup $fw add divert 8668 { udp or icmp } from $rede_i to any out via $ife setup $fw add divert 8668 all from any to any in via $ife And here the natd.conf: instance default unregistered_only yes interface vr0 dynamic yes use_sockets yes same_ports yes port 8668 instance link2 unregistered_only yes interface vr1 dynamic yes use_sockets yes same_ports yes port 8669 Why it wont work? Because the "divert" stuff is per-packet, and not session aware. On the other hand I can not use keep-state in a divert rule. Also, I think the behavior of mixing keep-state and prob is not what we (I?) expect. I tried using "tag" and "not diverted" somewhere to identify packets that are already served from one link or the other, but no working idea occurred me. Maybe any hacker or more experienced person can have a good suggestion? I tried to help out on this question because for me it was a proof of concept that teorically (conceptually) it would be possible to balance this way. In fact it is, it is working partially. But sometime, earlier or later the connection gets dropped (it is when prob does not apply, and the packet get diverted to another natd). It doesnt work perfectly because of limitations of the tools or maybe I am missing a good idea. So, dont bother answering to point all the reasons why it wont work ;) I am aware of all, also, I am aware of potential session issues (SSL sites, etc), when PF for example has a "sticky-address" solution. The think is, maybe there is an easy solution that a hacker may think of, to allow natd or ipfw balancing outgoing sessions.