From owner-freebsd-net@FreeBSD.ORG Sun Sep 7 12:11:48 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E3671065678 for ; Sun, 7 Sep 2008 12:11:48 +0000 (UTC) (envelope-from noc@bg.net.ua) Received: from mail.bg.net.ua (mail.bg.net.ua [193.227.206.56]) by mx1.freebsd.org (Postfix) with ESMTP id DABE78FC0A for ; Sun, 7 Sep 2008 12:11:41 +0000 (UTC) (envelope-from noc@bg.net.ua) Received: from www by mail.bg.net.ua with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KcIm9-000Hu5-My for freebsd-net@freebsd.org; Sun, 07 Sep 2008 14:49:53 +0300 Received: from 195.3.159.254 (SquirrelMail authenticated user muff@bg.net.ua) by webmail.bg.net.ua with HTTP; Sun, 7 Sep 2008 14:49:53 +0300 (EEST) Message-ID: <79dc33e3f3737f5beeadce88e96004bc.squirrel@webmail.bg.net.ua> Date: Sun, 7 Sep 2008 14:49:53 +0300 (EEST) From: "Zin'kov Oleg" To: freebsd-net@freebsd.org User-Agent: SquirrelMail/1.4.15 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Problem with process parallelization X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 12:11:48 -0000 Hello, freebsd-net mailing list. We have server such configurtion: - 2 quadcore AMD Opteron processors; - 4 GB RAM; - NIC Intel Pro/1000 PT, Dual Port Server Adapter. ########################################################### Problem: in some moments of time, at the growth of the network activity, one of the processors is fully loaded at 100%. ########################################################### Kernel configuration: FreeBSD atlantis.bg.net.ua 7.0-STABLE FreeBSD 7.0-STABLE #1: Tue Apr 1 15:06:30 EEST 2008 root@atlantis.bg.net.ua:/usr/obj/usr/src/sys/ATLANTIS amd64 /etc/sysctl.conf: net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 kern.ipc.somaxconn=16384 net.inet.ip.fastforwarding=1 net.inet.ip.maxfragpackets=2000 net.inet.ip.intr_queue_maxlen=1000 net.inet.ip.dummynet.hash_size=2048 net.inet.tcp.recvspace=65536 net.inet.udp.recvspace=65536 net.inet.raw.recvspace=32768 net.local.stream.recvspace=32768 net.local.dgram.recvspace=32768 net.local.stream.sendspace=32768 net.inet.tcp.sendspace=65536 net.inet.icmp.icmplim=500 dev.em.0.rx_int_delay=500 dev.em.0.tx_int_delay=500 dev.em.0.rx_abs_int_delay=800 dev.em.0.tx_abs_int_delay=800 dev.em.1.rx_int_delay=500 dev.em.1.tx_int_delay=500 dev.em.1.rx_abs_int_delay=800 dev.em.1.tx_abs_int_delay=800 net.link.ether.inet.max_age=600 /boot/loader.conf: hw.em.rxd=4096 hw.em.txd=4096 /etc/rc.firewall: 82 pipes like theese: pipe 387 ip from any to 193.227.x.x in recv vlan10 pipe 388 ip from 193.227.x.x to any out xmit vlan10 ######################################### Kernel: cpu HAMMER ident ATLANTIS # To statically compile in device wiring instead of /boot/device.hints #hints "GENERIC.hints" # Default places to look for devices. makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols options SCHED_ULE # 4BSD scheduler options PREEMPTION # Enable kernel thread preemption options INET # InterNETworking #options SCTP # Stream Control Transmission Protocol options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework options GEOM_PART_GPT # GUID Partition Tables. options GEOM_LABEL # Provides labelization options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!] options COMPAT_IA32 # Compatible with i386 binaries options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options COMPAT_FREEBSD5 # Compatible with FreeBSD5 options COMPAT_FREEBSD6 # Compatible with FreeBSD6 options KTRACE # ktrace(1) support options SYSVSHM # SYSV-style shared memory options SYSVMSG # SYSV-style message queues options SYSVSEM # SYSV-style semaphores options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. options STOP_NMI # Stop CPUS using NMI instead of IPI options AUDIT # Security event auditing # Make an SMP-capable kernel by default options SMP # Symmetric MultiProcessor Kernel # Bus support. device acpi device pci # ATA and ATAPI devices device ata device atadisk # ATA disk drives options ATA_STATIC_ID # Static device numbering # RAID controllers device twe # 3ware ATA RAID # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device vga # VGA video card driver device splash # Splash screen and screen saver support # syscons is the default console driver, resembling an SCO console device sc ### COM device sio # PCI Ethernet NICs. device em # Intel PRO/1000 adapter Gigabit Ethernet Card # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device bge # Broadcom BCM570xx Gigabit Ethernet device fxp # Intel EtherExpress PRO/100B (82557, 82558) # Pseudo devices. device loop # Network loopback device random # Entropy device device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) device vlan # The `bpf' device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! # Note that 'bpf' is required for DHCP. device bpf # Berkeley packet filter ## Custom options # NetGraph options NETGRAPH options NETGRAPH_ONE2MANY options NETGRAPH_NETFLOW options NETGRAPH_CISCO options NETGRAPH_ETHER options NETGRAPH_KSOCKET options NETGRAPH_SOCKET options NETGRAPH_TEE options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE_LIMIT=1000 options IPFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET options HZ=1000 options DEVICE_POLLING ##################################################### Interfaces: - em0 - em1 - bge0 - bge1 - vlan (61 virtual interfaces) ##################################################### top -S last pid: 9673; load averages: 1.94, 1.75, 1.57 up 0+19:17:21 19:45:01 77 processes: 11 running, 49 sleeping, 17 waiting CPU states: 0.0% user, 0.0% nice, 22.6% system, 0.3% interrupt, 77.0% idle Mem: 198M Active, 410M Inact, 455M Wired, 228K Cache, 214M Buf, 2874M Free Swap: 4096M Total, 4096M Free PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND 11 root 1 171 ki31 0K 16K CPU7 7 19.0H 100.00% idle: cpu7 16 root 1 171 ki31 0K 16K CPU2 2 18.9H 100.00% idle: cpu2 17 root 1 171 ki31 0K 16K RUN 1 18.8H 100.00% idle: cpu1 13 root 1 171 ki31 0K 16K CPU5 5 18.8H 100.00% idle: cpu5 18 root 1 171 ki31 0K 16K CPU0 0 916:13 100.00% idle: cpu0 12 root 1 171 ki31 0K 16K CPU6 6 18.8H 99.85% idle: cpu6 35 root 1 -68 - 0K 16K CPU4 4 466:17 96.00% em1 taskq 34 root 1 -68 - 0K 16K CPU3 3 482:01 90.38% em0 taskq 15 root 1 171 ki31 0K 16K RUN 3 655:20 13.38% idle: cpu3 14 root 1 171 ki31 0K 16K RUN 4 671:52 3.08% idle: cpu4 ############################################## 19:45[p0]root@atlantis#~>netstat -w 1 -I em0 input (em0) output packets errs bytes packets errs bytes colls 57381 0 36442155 68726 0 69126050 0 56817 0 37480502 67656 0 66053093 0 57847 0 39532712 68603 0 67037042 0 56908 0 37197022 68924 0 68660108 0 57107 0 37643382 68398 0 68113937 0 56847 0 35944754 68394 0 67896267 0 58754 0 39763361 68966 0 70029090 0 58343 0 38301796 69635 0 69948678 0 ^C 19:46[p0]root@atlantis#~>netstat -w 1 -I em1 input (em1) output packets errs bytes packets errs bytes colls 67944 0 68877031 55376 0 36252905 0 65943 0 66722222 54575 0 37710643 0 64639 0 67149621 53298 0 35423539 0 63988 0 65035759 51787 0 35402337 0 63849 0 65968513 50727 0 31683425 0 64301 0 66684912 50193 0 30917339 0 ################################################################### How can we solve this problem and parallelize em1:taskq kernel processes between all 8 processors? -- ISP BGNet 288-03-53 246-68-98 Zin'kov Oleg System administrator -- ISP BGNet 288-03-53 246-68-98 Zin'kov Oleg System administrator From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 01:02:14 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 98C50106564A; Mon, 8 Sep 2008 01:02:14 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6EBE28FC2D; Mon, 8 Sep 2008 01:02:14 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8812Eo0091510; Mon, 8 Sep 2008 01:02:14 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8812EjL091506; Mon, 8 Sep 2008 01:02:14 GMT (envelope-from linimon) Date: Mon, 8 Sep 2008 01:02:14 GMT Message-Id: <200809080102.m8812EjL091506@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-i386@FreeBSD.org, freebsd-net@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: bin/127192: routed(8) removes the secondary alias IP of interface after 5 minutes - FreeBSD version 7.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 01:02:14 -0000 Old Synopsis: Routed remove the secondary alias IP of interface after 5 minutes - FreeBSD version 7.0 New Synopsis: routed(8) removes the secondary alias IP of interface after 5 minutes - FreeBSD version 7.0 Responsible-Changed-From-To: freebsd-i386->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Mon Sep 8 01:01:33 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127192 From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 02:22:24 2008 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C558A106564A for ; Mon, 8 Sep 2008 02:22:24 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A98608FC17 for ; Mon, 8 Sep 2008 02:22:24 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m882MOqA006755 for ; Mon, 8 Sep 2008 02:22:24 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m882MOqu006751 for freebsd-net@FreeBSD.org; Mon, 8 Sep 2008 02:22:24 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Sep 2008 02:22:24 GMT Message-Id: <200809080222.m882MOqu006751@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-net@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-net@FreeBSD.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 02:22:24 -0000 The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/127192 net routed(8) removes the secondary alias IP of interface f kern/127145 net [wi]: prism (wi) driver crash at bigger traffic o kern/127102 net [wpi] Intel 3945ABG low throughput o kern/127057 net [udp] Unable to send UDP packet via IPv6 socket to IPv o kern/127052 net [if_bridge] Still bridge issues - with L2 protocols su o kern/127050 net [carp] ipv6 does not work on carp interfaces [regressi o kern/126984 net [carp][patch] add carp userland notifications via devc o kern/126945 net [carp] CARP interface destruction with ifconfig destro o kern/126895 net [patch] [ral] Add antenna selection (marked as TBD) o kern/126874 net [vlan]: Zebra problem if ifconfig vlanX destroy o bin/126822 net wpa_supplicant(8): WPA PSK does not work in adhoc mode o kern/126742 net [panic] kernel panic when sending file via ng_ubt(4) o kern/126714 net [carp] CARP interface renaming makes system no longer o kern/126695 net rtfree messages and network disruption upon use of if_ o kern/126688 net [ixgbe] [patch] 1.4.7 ixgbe driver panic with 4GB and f kern/126564 net [ath] doesn't work with my PCI-E X1 wireless network a o kern/126561 net [nlm] [patch] NLM (rpclockd) RPC UNLOCK failure (stall o kern/126475 net [ath] [panic] ath pcmcia card inevitably panics under o kern/126469 net [fxp] [panic] fxp(4) related kernel panic o kern/126339 net [ipw] ipw driver drops the connection o kern/126214 net [ath] txpower problem with Atheros wifi card o kern/126075 net [in] Network: internet control accesses beyond end of o bin/125922 net [patch] Deadlock in arp(8) o kern/125920 net [arp] Kernel Routing Table loses Ethernet Link status o kern/125845 net [netinet] [patch] tcp_lro_rx() should make use of hard o kern/125816 net [carp] [bridge] carp stuck in init when using bridge i f kern/125502 net [ral] ifconfig ral0 scan produces no output unless in o kern/125258 net [socket] socket's SO_REUSEADDR option does not work o kern/125239 net [gre] kernel crash when using gre f kern/125195 net [fxp] fxp(4) driver failed to initialize device Intel o kern/125181 net [ndis] [patch] with wep enters kdb.enter.unknown, pani o kern/125079 net [ppp] host routes added by ppp with gateway flag (regr o kern/124904 net [fxp] EEPROM corruption with Compaq NC3163 NIC o kern/124767 net [iwi] Wireless connection using iwi0 driver (Intel 220 o kern/124753 net [ieee80211] net80211 discards power-save queue packets o kern/124609 net [ipsec] [panic] ipsec 'remainder too big' panic with p o kern/124341 net [ral] promiscuous mode for wireless device ral0 looses o kern/124160 net [libc] connect(2) function loops indefinitely o kern/124127 net [msk] watchdog timeout (missed Tx interrupts) -- recov o kern/124021 net [ip6] [panic] page fault in nd6_output() o bin/124004 net ifconfig(8): Cannot assign both an IP and a MAC addres o kern/123968 net [rum] [panic] rum driver causes kernel panic with WPA. p kern/123961 net [vr] [patch] Allow vr interface to handle vlans o kern/123892 net [tap] [patch] No buffer space available o kern/123881 net [tcp] Turning on TCP blackholing causes slow localhost o kern/123796 net [ipf] FreeBSD 6.1+VPN+ipnat+ipf: port mapping does not o bin/123633 net ifconfig(8) doesn't set inet and ether address in one o kern/123617 net [tcp] breaking connection when client downloading file o kern/123603 net [tcp] tcp_do_segment and Received duplicate SYN o kern/123559 net [iwi] iwi periodically disassociates/associates [regre o bin/123465 net [ip6] route(8): route add -inet6 -interfac o kern/123463 net [ipsec] [panic] repeatable crash related to ipsec-tool o kern/123429 net [nfe] [hang] "ifconfig nfe up" causes a hard system lo o kern/123347 net [bge] bge1: watchdog timeout -- linkstate changed to D o conf/123330 net [nsswitch.conf] Enabling samba wins in nsswitch.conf c o kern/123256 net [wpi] panic: blockable sleep lock with wpi(4) f kern/123200 net [netgraph] Server failure due to netgraph mpd and dhcp f kern/123172 net [bce] Watchdog timeout problems with if_bce o kern/123160 net [ip] Panic and reboot at sysctl kern.polling.enable=0 o kern/123066 net [ipsec] [panic] kernel trap with ipsec o kern/122989 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/122954 net [lagg] IPv6 EUI64 incorrectly chosen for lagg devices o kern/122928 net [em] interface watchdog timeouts and stops receiving p f kern/122839 net [multicast] FreeBSD 7 multicast routing problem f kern/122794 net [lagg] Kernel panic after brings lagg(8) up if NICs ar o kern/122780 net [lagg] tcpdump on lagg interface during high pps wedge o kern/122772 net [em] em0 taskq panic, tcp reassembly bug causes radix o kern/122743 net [panic] vm_page_unwire: invalid wire count: 0 o kern/122697 net [ath] Atheros card is not well supported o kern/122685 net It is not visible passing packets in tcpdump o kern/122551 net [bge] Broadcom 5715S no carrier on HP BL460c blade usi o kern/122427 net [apm] [panic] apm and mDNSResponder cause panic during o kern/122319 net [wi] imposible to enable ad-hoc demo mode with Orinoco o kern/122295 net [bge] bge Ierr rate increase (since 6.0R) [regression] o kern/122290 net [netgraph] [panic] Netgraph related "kmem_map too smal f kern/122252 net [ipmi] [bge] IPMI problem with BCM5704 (does not work o kern/122195 net [ed] Alignment problems in if_ed o kern/122082 net [in_pcb] NULL pointer dereference in in_pcbdrop o kern/122068 net [ppp] ppp can not set the correct interface with pptpd o kern/122058 net [em] [panic] Panic on em1: taskq o kern/122033 net [ral] [lor] Lock order reversal in ral0 at bootup [reg o kern/121983 net [fxp] fxp0 MBUF and PAE o kern/121872 net [wpi] driver fails to attach on a fujitsu-siemens s711 s kern/121774 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/121706 net [netinet] [patch] "rtfree: 0xc4383870 has 1 refs" emit o kern/121624 net [em] [regression] Intel em WOL fails after upgrade to o kern/121555 net [panic] Fatal trap 12: current process = 12 (swi1: net o kern/121443 net [gif] LOR icmp6_input/nd6_lookup o kern/121437 net [vlan] Routing to layer-2 address does not work on VLA o kern/121298 net [em] [panic] Fatal trap 12: page fault while in kernel o kern/121257 net [tcp] TSO + natd -> slow outgoing tcp traffic o kern/121181 net [panic] Fatal trap 3: breakpoint instruction fault whi o kern/121080 net [bge] IPv6 NUD problem on multi address config on bge0 o kern/120966 net [rum] kernel panic with if_rum and WPA encryption o kern/120566 net [request]: ifconfig(8) make order of arguments more fr o kern/120304 net [netgraph] [patch] netgraph source assumes 32-bit time o kern/120266 net [panic] gnugk causes kernel panic when closing UDP soc o kern/120232 net [nfe] [patch] Bring in nfe(4) to RELENG_6 o kern/120130 net [carp] [panic] carp causes kernel panics in any conste o kern/119945 net [rum] [panic] rum device in hostap mode, cause kernel o kern/119791 net [nfs] UDP NFS mount of aliased IP addresses from a Sol o kern/119617 net [nfs] nfs error on wpa network when reseting/shutdown f kern/119516 net [ip6] [panic] _mtx_lock_sleep: recursed on non-recursi o kern/119432 net [arp] route add -host -iface causes arp e o kern/119361 net [bge] bge(4) transmit performance problem o kern/119345 net [ath] Unsuported Atheros 5424/2424 and CPU speedstep n o kern/119225 net [wi] 7.0-RC1 no carrier with Prism 2.5 wifi card [regr o bin/118987 net ifconfig(8): ifconfig -l (address_family) does not wor o kern/118880 net [ip6] IP_RECVDSTADDR & IP_SENDSRCADDR not implemented a kern/118879 net [bge] [patch] bge has checksum problems on the 5703 ch o kern/118727 net [netgraph] [patch] [request] add new ng_pf module o kern/117448 net [carp] 6.2 kernel crash [regression] o kern/117423 net [vlan] Duplicate IP on different interfaces o bin/117339 net [patch] route(8): loading routing management commands o kern/117271 net [tap] OpenVPN TAP uses 99% CPU on releng_6 when if_tap o kern/117043 net [em] Intel PWLA8492MT Dual-Port Network adapter EEPROM o kern/116837 net [tun] [panic] [patch] ifconfig tunX destroy: panic o kern/116747 net [ndis] FreeBSD 7.0-CURRENT crash with Dell TrueMobile o bin/116643 net [patch] [request] fstat(1): add INET/INET6 socket deta o kern/116328 net [bge]: Solid hang with bge interface o kern/116185 net [iwi] if_iwi driver leads system to reboot o kern/116077 net [ip] [patch] 6.2-STABLE panic during use of multi-cast o kern/115239 net [ipnat] panic with 'kmem_map too small' using ipnat o kern/114915 net [patch] [pcn] pcn (sys/pci/if_pcn.c) ethernet driver f o kern/114839 net [fxp] fxp looses ability to speak with traffic o kern/114714 net [gre][patch] gre(4) is not MPSAFE and does not support o kern/113842 net [ip6] PF_INET6 proto domain state can't be cleared wit o kern/112722 net [udp] IP v4 udp fragmented packet reject o kern/112686 net [patm] patm driver freezes System (FreeBSD 6.2-p4) i38 o bin/112557 net [patch] ppp(8) lock file should not use symlink name o kern/112528 net [nfs] NFS over TCP under load hangs with "impossible p o kern/109733 net [bge] bge link state issues [regression] o kern/109470 net [wi] Orinoco Classic Gold PC Card Can't Channel Hop o kern/109308 net [pppd] [panic] Multiple panics kernel ppp suspected [r o bin/108895 net pppd(8): PPPoE dead connections on 6.2 [regression] o kern/108542 net [bce]: Huge network latencies with 6.2-RELEASE / STABL o conf/107035 net [patch] bridge interface given in rc.conf not taking a o kern/106438 net [ipf] ipfilter: keep state does not seem to allow repl o kern/106316 net [dummynet] dummynet with multipass ipfw drops packets s kern/105943 net Network stack may modify read-only mbuf chain copies o bin/105925 net problems with ifconfig(8) and vlan(4) [regression] o conf/102502 net [patch] ifconfig name does't rename netgraph node in n o kern/102035 net [plip] plip networking disables parallel port printing o kern/101948 net [ipf] [panic] Kernel Panic Trap No 12 Page Fault - cau o kern/100519 net [netisr] suggestion to fix suboptimal network polling o kern/98978 net [ipf] [patch] ipfilter drops OOW packets under 6.1-Rel o kern/95288 net [pppd] [tty] [panic] if_ppp panic in sys/kern/tty_subr o kern/95277 net [netinet] [patch] IP Encapsulation mask_match() return o kern/95267 net packet drops periodically appear o kern/93378 net [tcp] Slow data transfer in Postfix and Cyrus IMAP (wo f kern/92552 net A serious bug in most network drivers from 5.X to 6.X o kern/92090 net [bge] bge0: watchdog timeout -- resetting s kern/91777 net [ipf] [patch] wrong behaviour with skip rule inside an o kern/91594 net [em] FreeBSD > 5.4 w/ACPI fails to detect Intel Pro/10 o kern/87521 net [ipf] [panic] using ipfilter "auth" keyword leads to k s kern/86920 net [ndis] ifconfig: SIOCS80211: Invalid argument [regress o kern/86103 net [ipf] Illegal NAT Traversal in IPFilter s kern/81147 net [net] [patch] em0 reinitialization while adding aliase o kern/79895 net [ipf] 5.4-RC2 breaks ipfilter NAT when using netgraph o bin/79228 net [patch] extend arp(8) to be able to create blackhole r o kern/78090 net [ipf] ipf filtering on bridged packets doesn't work if p kern/77913 net [wi] [patch] Add the APDL-325 WLAN pccard to wi(4) o kern/77273 net [ipf] ipfilter breaks ipv6 statefull filtering on 5.3 s kern/77195 net [ipf] [patch] ipfilter ioctl SIOCGNATL does not match o kern/70904 net [ipf] ipfilter ipnat problem with h323 proxy support o kern/64556 net [sis] if_sis short cable fix problems with NetGear FA3 s kern/60293 net FreeBSD arp poison patch o kern/54383 net [nfs] [patch] NFS root configurations without dynamic s bin/41647 net ifconfig(8) doesn't accept lladdr along with inet addr s kern/39937 net ipstealth issue a kern/38554 net [patch] changing interface ipaddress doesn't seem to w o kern/35442 net [sis] [patch] Problem transmitting runts in if_sis dri o kern/34665 net [ipf] [hang] ipfilter rcmd proxy "hangs". o kern/27474 net [ipf] [ppp] Interactive use of user PPP and ipfilter c o conf/23063 net [PATCH] for static ARP tables in rc.network 175 problems total. Bugs can be in one of several states: o - open A problem report has been submitted, no sanity checking performed. a - analyzed The problem is understood and a solution is being sought. f - feedback Further work requires additional information from the originator or the community - possibly confirmation of the effectiveness of a proposed solution. p - patched A patch has been committed, but some issues (MFC and / or confirmation from originator) are still open. r - repocopy The resolution of the problem report is dependent on a repocopy operation within the CVS repository which is awaiting completion. s - suspended The problem is not being worked on, due to lack of information or resources. This is a prime candidate for somebody who is looking for a project to do. If the problem cannot be solved at all, it will be closed, rather than suspended. c - closed A problem report is closed when any changes have been integrated, documented, and tested -- or when fixing the problem is abandoned. From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 02:23:18 2008 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D823106567E for ; Mon, 8 Sep 2008 02:23:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6C2118FC21 for ; Mon, 8 Sep 2008 02:23:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m882NIaF007815 for ; Mon, 8 Sep 2008 02:23:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m882NHTQ007811 for net@FreeBSD.org; Mon, 8 Sep 2008 02:23:17 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Sep 2008 02:23:17 GMT Message-Id: <200809080223.m882NHTQ007811@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: net@FreeBSD.org Cc: Subject: Current problem reports assigned to net@FreeBSD.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 02:23:18 -0000 The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- p docs/120945 net [PATCH] ip6(4) man page lacks documentation for TCLASS 1 problem total. Bugs can be in one of several states: o - open A problem report has been submitted, no sanity checking performed. a - analyzed The problem is understood and a solution is being sought. f - feedback Further work requires additional information from the originator or the community - possibly confirmation of the effectiveness of a proposed solution. p - patched A patch has been committed, but some issues (MFC and / or confirmation from originator) are still open. r - repocopy The resolution of the problem report is dependent on a repocopy operation within the CVS repository which is awaiting completion. s - suspended The problem is not being worked on, due to lack of information or resources. This is a prime candidate for somebody who is looking for a project to do. If the problem cannot be solved at all, it will be closed, rather than suspended. c - closed A problem report is closed when any changes have been integrated, documented, and tested -- or when fixing the problem is abandoned. From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 03:20:51 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8AE31065670; Mon, 8 Sep 2008 03:20:51 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id AEECA8FC16; Mon, 8 Sep 2008 03:20:51 +0000 (UTC) (envelope-from thompsa@FreeBSD.org) Received: from freefall.freebsd.org (thompsa@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m883Kpum015383; Mon, 8 Sep 2008 03:20:51 GMT (envelope-from thompsa@freefall.freebsd.org) Received: (from thompsa@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m883Kona015379; Mon, 8 Sep 2008 03:20:50 GMT (envelope-from thompsa) Date: Mon, 8 Sep 2008 03:20:50 GMT Message-Id: <200809080320.m883Kona015379@freefall.freebsd.org> To: rea-fbsd@codelabs.ru, freebsd-bridge-sep08@oldach.net, thompsa@FreeBSD.org, freebsd-net@FreeBSD.org From: thompsa@FreeBSD.org Cc: Subject: Re: kern/127052: [if_bridge] Still bridge issues - with L2 protocols such as PPPoE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 03:20:51 -0000 Synopsis: [if_bridge] Still bridge issues - with L2 protocols such as PPPoE State-Changed-From-To: open->closed State-Changed-By: thompsa State-Changed-When: Mon Sep 8 03:19:43 UTC 2008 State-Changed-Why: r180140 has been reverted for 6.4 and 7.1, thanks for testing and reporting the problems. http://www.freebsd.org/cgi/query-pr.cgi?pr=127052 From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 10:29:20 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7946D1065675 for ; Mon, 8 Sep 2008 10:29:20 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.229]) by mx1.freebsd.org (Postfix) with ESMTP id 417198FC23 for ; Mon, 8 Sep 2008 10:29:19 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so2052514rvf.43 for ; Mon, 08 Sep 2008 03:29:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:received:date:from :to:cc:subject:message-id:reply-to:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=7tWX32xR81DWuqrysYG23rlBIjOXb0Gy+n7ZggHsepk=; b=cT7c8kSLMI+KEEfpQgbKGI3TaVuTdUicptT5yml0vCGEDj1lXir42GQtF9F35Ne1E5 Bl6mdhOwQZQ+kw68OIObZL0WbttcRPccz+GixfMgScbAGW590hMEbkUGJB4bB3BOSGGm 4IaKHwPBhqoCKUVrsvah3sFA5iyJGsYQosayo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:reply-to:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=atAHGeaqulBBZxe99nt+mlqm/PhBec1NElN3O4eK0bjrVF0mymEeUiyRS87uEVsEg+ sfh99Bf38KCuPAufv2bawhignOtYrfLlOGyA9y0fSPOVVLAfEtYPqykE905FgO3MJxCp OzDgfkNjfBL7G/DkLrMx3jQd7PWdEQzcdvnLY= Received: by 10.141.28.4 with SMTP id f4mr8744914rvj.35.1220869759753; Mon, 08 Sep 2008 03:29:19 -0700 (PDT) Received: from michelle.cdnetworks.co.kr ( [211.53.35.84]) by mx.google.com with ESMTPS id g31sm7326976rvb.7.2008.09.08.03.29.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 08 Sep 2008 03:29:18 -0700 (PDT) Received: from michelle.cdnetworks.co.kr (localhost.cdnetworks.co.kr [127.0.0.1]) by michelle.cdnetworks.co.kr (8.13.5/8.13.5) with ESMTP id m88ATEfW079226 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Sep 2008 19:29:14 +0900 (KST) (envelope-from pyunyh@gmail.com) Received: (from yongari@localhost) by michelle.cdnetworks.co.kr (8.13.5/8.13.5/Submit) id m88ATC2j079225; Mon, 8 Sep 2008 19:29:12 +0900 (KST) (envelope-from pyunyh@gmail.com) Date: Mon, 8 Sep 2008 19:29:12 +0900 From: Pyun YongHyeon To: Milan Obuch Message-ID: <20080908102912.GI77346@cdnetworks.co.kr> References: <200809050945.09276.freebsd-net@dino.sk> <200809051643.52950.freebsd-net@dino.sk> <20080906004627.GA69867@cdnetworks.co.kr> <200809060803.53293.freebsd-net@dino.sk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200809060803.53293.freebsd-net@dino.sk> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: MSI Wind Notebook's network interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: pyunyh@gmail.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 10:29:20 -0000 On Sat, Sep 06, 2008 at 08:03:52AM +0200, Milan Obuch wrote: [snip] > It was my pleasure and I would like to express my thanks for your great work. > If you will need in future some more testing with this hardware, just drop me > a line. Just a side note, will this patch be MFS'ed into 7-STABLE in short > timeframe? > As soon as I get re's approval I'll commit to 7-stable. -- Regards, Pyun YongHyeon From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 10:33:00 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8050D1065670 for ; Mon, 8 Sep 2008 10:33:00 +0000 (UTC) (envelope-from freebsd-net@dino.sk) Received: from loki.netlab.sk (loki.netlab.sk [84.245.65.11]) by mx1.freebsd.org (Postfix) with ESMTP id ECD638FC1E for ; Mon, 8 Sep 2008 10:32:59 +0000 (UTC) (envelope-from freebsd-net@dino.sk) Received: from via.dino.sk (home.dino.sk [84.245.95.252]) (AUTH: PLAIN milan, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by loki.netlab.sk with esmtp; Mon, 08 Sep 2008 12:31:11 +0200 id 0002E00B.48C4FEEF.00016988 From: Milan Obuch To: freebsd-net@freebsd.org, pyunyh@gmail.com Date: Mon, 8 Sep 2008 12:32:42 +0200 User-Agent: KMail/1.9.7 References: <200809050945.09276.freebsd-net@dino.sk> <200809060803.53293.freebsd-net@dino.sk> <20080908102912.GI77346@cdnetworks.co.kr> In-Reply-To: <20080908102912.GI77346@cdnetworks.co.kr> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809081232.43213.freebsd-net@dino.sk> Cc: Subject: Re: MSI Wind Notebook's network interfaces X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 10:33:00 -0000 On Monday 08 September 2008 12:29:12 Pyun YongHyeon wrote: > On Sat, Sep 06, 2008 at 08:03:52AM +0200, Milan Obuch wrote: > > [snip] > > > It was my pleasure and I would like to express my thanks for your great > > work. If you will need in future some more testing with this hardware, > > just drop me a line. Just a side note, will this patch be MFS'ed into > > 7-STABLE in short timeframe? > > As soon as I get re's approval I'll commit to 7-stable. Thanks, I can wait a bit with this one. Regards, Milan From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 12:41:35 2008 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1024B106564A for ; Mon, 8 Sep 2008 12:41:35 +0000 (UTC) (envelope-from _pppp@mail.ru) Received: from mx45.mail.ru (mx45.mail.ru [194.67.23.236]) by mx1.freebsd.org (Postfix) with ESMTP id 667798FC18 for ; Mon, 8 Sep 2008 12:41:34 +0000 (UTC) (envelope-from _pppp@mail.ru) Received: from f106.mail.ru (f106.mail.ru [194.67.57.205]) by mx45.mail.ru (mPOP.Fallback_MX) with ESMTP id 550D2E00881F; Mon, 8 Sep 2008 16:23:58 +0400 (MSD) Received: from mail by f106.mail.ru with local id 1KcfmE-0000KR-00; Mon, 08 Sep 2008 16:23:30 +0400 Received: from [213.180.219.187] by koi.mail.ru with HTTP; Mon, 08 Sep 2008 16:23:30 +0400 From: Dmitriy <_pppp@mail.ru> To: Zin'kov Oleg Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: [213.180.219.187] Date: Mon, 08 Sep 2008 16:23:30 +0400 In-Reply-To: <79dc33e3f3737f5beeadce88e96004bc.squirrel@webmail.bg.net.ua> References: <79dc33e3f3737f5beeadce88e96004bc.squirrel@webmail.bg.net.ua> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: X-Spam: Not detected X-Mras: OK Cc: freebsd-net@FreeBSD.org Subject: Re: Problem with process parallelization X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dmitriy <_pppp@mail.ru> List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 12:41:35 -0000 > Hello, freebsd-net mailing list. > > We have server such configurtion: > - 2 quadcore AMD Opteron processors; > - 4 GB RAM; > - NIC Intel Pro/1000 PT, Dual Port Server Adapter. > > ########################################################### > > Problem: > > in some moments of time, at the growth of the network activity, one of > the processors is fully loaded at 100%. > > ########################################################### > > Kernel configuration: > > FreeBSD atlantis.bg.net.ua 7.0-STABLE FreeBSD 7.0-STABLE #1: Tue Apr 1 > 15:06:30 EEST 2008 > root@atlantis.bg.net.ua:/usr/obj/usr/src/sys/ATLANTIS amd64 > > /etc/sysctl.conf: > > net.inet.tcp.blackhole=2 > net.inet.udp.blackhole=1 > kern.ipc.somaxconn=16384 > net.inet.ip.fastforwarding=1 > net.inet.ip.maxfragpackets=2000 > net.inet.ip.intr_queue_maxlen=1000 > net.inet.ip.dummynet.hash_size=2048 > net.inet.tcp.recvspace=65536 > net.inet.udp.recvspace=65536 > net.inet.raw.recvspace=32768 > net.local.stream.recvspace=32768 > net.local.dgram.recvspace=32768 > net.local.stream.sendspace=32768 > net.inet.tcp.sendspace=65536 > net.inet.icmp.icmplim=500 > dev.em.0.rx_int_delay=500 > dev.em.0.tx_int_delay=500 > dev.em.0.rx_abs_int_delay=800 > dev.em.0.tx_abs_int_delay=800 > dev.em.1.rx_int_delay=500 > dev.em.1.tx_int_delay=500 > dev.em.1.rx_abs_int_delay=800 > dev.em.1.tx_abs_int_delay=800 > net.link.ether.inet.max_age=600 > > /boot/loader.conf: > > hw.em.rxd=4096 > hw.em.txd=4096 > > /etc/rc.firewall: > > 82 pipes like theese: > > pipe 387 ip from any to 193.227.x.x in recv vlan10 > pipe 388 ip from 193.227.x.x to any out xmit vlan10 > > > ######################################### > Kernel: > > > cpu HAMMER > ident ATLANTIS > > # To statically compile in device wiring instead of /boot/device.hints > #hints "GENERIC.hints" # Default places to look for > devices. > > makeoptions DEBUG=-g # Build kernel with gdb(1) debug > symbols > > options SCHED_ULE # 4BSD scheduler > options PREEMPTION # Enable kernel thread preemption > options INET # InterNETworking > #options SCTP # Stream Control Transmission > Protocol > options FFS # Berkeley Fast Filesystem options > SOFTUPDATES # Enable FFS soft updates support options > UFS_ACL # Support for access control lists options > UFS_DIRHASH # Improve performance on big directories > options PROCFS # Process filesystem (requires > PSEUDOFS) > options PSEUDOFS # Pseudo-filesystem framework > options GEOM_PART_GPT # GUID Partition Tables. > options GEOM_LABEL # Provides labelization > options COMPAT_43TTY # BSD 4.3 TTY compat [KEEP THIS!] > options COMPAT_IA32 # Compatible with i386 binaries > options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options > COMPAT_FREEBSD5 # Compatible with FreeBSD5 options > COMPAT_FREEBSD6 # Compatible with FreeBSD6 options KTRACE > # ktrace(1) support > options SYSVSHM # SYSV-style shared memory options > SYSVMSG # SYSV-style message queues options > SYSVSEM # SYSV-style semaphores > options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time > extensions > options KBD_INSTALL_CDEV # install a CDEV entry in /dev > options ADAPTIVE_GIANT # Giant mutex is adaptive. options > STOP_NMI # Stop CPUS using NMI instead of IPI > options AUDIT # Security event auditing > > # Make an SMP-capable kernel by default > options SMP # Symmetric MultiProcessor Kernel > > # Bus support. > device acpi > device pci > > # ATA and ATAPI devices > device ata > > device atadisk # ATA disk drives > options ATA_STATIC_ID # Static device numbering > > # RAID controllers > device twe # 3ware ATA RAID > > # atkbdc0 controls both the keyboard and the PS/2 mouse > device atkbdc # AT keyboard controller > device atkbd # AT keyboard > > device vga # VGA video card driver > > device splash # Splash screen and screen saver support > > # syscons is the default console driver, resembling an SCO console device > sc > > ### COM > device sio > > # PCI Ethernet NICs. > device em # Intel PRO/1000 adapter Gigabit Ethernet > Card > > # PCI Ethernet NICs that use the common MII bus controller code. > # NOTE: Be sure to keep the 'device miibus' line in order to use these > NICs! device miibus # MII bus support > device bge # Broadcom BCM570xx Gigabit Ethernet > device fxp # Intel EtherExpress PRO/100B (82557, > 82558) > > # Pseudo devices. > device loop # Network loopback > device random # Entropy device > device ether # Ethernet support > device pty # Pseudo-ttys (telnet etc) > device vlan > > # The `bpf' device enables the Berkeley Packet Filter. > # Be aware of the administrative consequences of enabling this! > # Note that 'bpf' is required for DHCP. > device bpf # Berkeley packet filter > > ## Custom options > # NetGraph > options NETGRAPH > options NETGRAPH_ONE2MANY > options NETGRAPH_NETFLOW > options NETGRAPH_CISCO > options NETGRAPH_ETHER > options NETGRAPH_KSOCKET > options NETGRAPH_SOCKET > options NETGRAPH_TEE > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_FORWARD > options IPFIREWALL_VERBOSE_LIMIT=1000 > options IPFIREWALL_DEFAULT_TO_ACCEPT > options DUMMYNET > options HZ=1000 > options DEVICE_POLLING > ##################################################### > > Interfaces: > - em0 > - em1 > - bge0 > - bge1 > - vlan (61 virtual interfaces) > > ##################################################### > top -S > > last pid: 9673; load averages: 1.94, 1.75, 1.57 > up 0+19:17:21 > 19:45:01 > 77 processes: 11 running, 49 sleeping, 17 waiting > CPU states: 0.0% user, 0.0% nice, 22.6% system, 0.3% interrupt, 77.0% > idle Mem: 198M Active, 410M Inact, 455M Wired, 228K Cache, 214M Buf, 2874M > Free Swap: 4096M Total, 4096M Free > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND > 11 root 1 171 ki31 0K 16K CPU7 7 19.0H 100.00% idle: > cpu7 > 16 root 1 171 ki31 0K 16K CPU2 2 18.9H 100.00% idle: > cpu2 > 17 root 1 171 ki31 0K 16K RUN 1 18.8H 100.00% idle: > cpu1 > 13 root 1 171 ki31 0K 16K CPU5 5 18.8H 100.00% idle: > cpu5 > 18 root 1 171 ki31 0K 16K CPU0 0 916:13 100.00% idle: > cpu0 > 12 root 1 171 ki31 0K 16K CPU6 6 18.8H 99.85% idle: > cpu6 > 35 root 1 -68 - 0K 16K CPU4 4 466:17 96.00% em1 > taskq > 34 root 1 -68 - 0K 16K CPU3 3 482:01 90.38% em0 > taskq > 15 root 1 171 ki31 0K 16K RUN 3 655:20 13.38% idle: > cpu3 > 14 root 1 171 ki31 0K 16K RUN 4 671:52 3.08% idle: > cpu4 > > > ############################################## > 19:45[p0]root@atlantis#~>netstat -w 1 -I em0 > input (em0) output > packets errs bytes packets errs bytes colls > 57381 0 36442155 68726 0 69126050 0 > 56817 0 37480502 67656 0 66053093 0 > 57847 0 39532712 68603 0 67037042 0 > 56908 0 37197022 68924 0 68660108 0 > 57107 0 37643382 68398 0 68113937 0 > 56847 0 35944754 68394 0 67896267 0 > 58754 0 39763361 68966 0 70029090 0 > 58343 0 38301796 69635 0 69948678 0 > ^C > 19:46[p0]root@atlantis#~>netstat -w 1 -I em1 > input (em1) output > packets errs bytes packets errs bytes colls > 67944 0 68877031 55376 0 36252905 0 > 65943 0 66722222 54575 0 37710643 0 > 64639 0 67149621 53298 0 35423539 0 > 63988 0 65035759 51787 0 35402337 0 > 63849 0 65968513 50727 0 31683425 0 > 64301 0 66684912 50193 0 30917339 0 > > > > ################################################################### > > > How can we solve this problem and parallelize em1:taskq kernel processes > between all 8 processors? # sysctl net.isr.direct=0 would add one more kernel thread to handle your network traffic. Regards, Dmitriy. > > > -- > ISP BGNet > 288-03-53 > 246-68-98 > > Zin'kov Oleg > System administrator > > > > > > > > > > > > > -- > ISP BGNet > 288-03-53 > 246-68-98 > > Zin'kov Oleg > System administrator > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 14:43:45 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEACE1065679 for ; Mon, 8 Sep 2008 14:43:45 +0000 (UTC) (envelope-from vova@sw.ru) Received: from relay.sw.ru (mailhub.sw.ru [195.214.232.25]) by mx1.freebsd.org (Postfix) with ESMTP id 314968FC14 for ; Mon, 8 Sep 2008 14:43:44 +0000 (UTC) (envelope-from vova@sw.ru) Received: from vbook.fbsd.ru ([10.30.1.111]) (authenticated bits=0) by relay.sw.ru (8.13.4/8.13.4) with ESMTP id m88EJETU012675 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Sep 2008 18:19:15 +0400 (MSD) Received: from vova by vbook.fbsd.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Kcha6-0004mU-O5; Mon, 08 Sep 2008 18:19:06 +0400 From: Vladimir Grebenschikov To: Rui Paulo In-Reply-To: <20080903165230.GA31289@alpha.local> References: <200808280023.m7S0NN0B078088@repoman.freebsd.org> <1220382480.2493.5.camel@localhost> <20080903165230.GA31289@alpha.local> Content-Type: text/plain Content-Transfer-Encoding: 7bit Organization: SWsoft Date: Mon, 08 Sep 2008 18:19:06 +0400 Message-Id: <1220883546.4169.13.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port Sender: Vladimir Grebenschikov Cc: freebsd-net@freebsd.org Subject: Re: cvs commit: src/sys/contrib/dev/ath COPYRIGHT README ah.h ah_desc.h ah_devid.h ah_soc.h version.h src/sys/contrib/dev/ath/public alpha-elf.hal.o.uu alpha-elf.inc alpha-elf.opt_ah.h ap30.hal.o.uu ap30.inc ap43.hal.o.uu ap43.inc ... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vova@fbsd.ru List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 14:43:45 -0000 On Wed, 2008-09-03 at 17:52 +0100, Rui Paulo wrote: > On Tue, Sep 02, 2008 at 11:08:00PM +0400, Vladimir Grebenschikov wrote: > > ? Thu, 28/08/2008 ? 00:22 +0000, Rui Paulo ?????: > > > rpaulo 2008-08-28 00:22:59 UTC > > > > > > After that commit my wireless stop work: > > Can you tell us your ath mac+phy rev? ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) ath0: mem 0xedf00000-0xedf0ffff irq 17 at device 0.0 on pci3 ath0: [ITHREAD] ath0: WARNING: using obsoleted if_watchdog interface ath0: mac 10.3 phy 6.1 radio 10.2 ether 00:19:7d:8c:0b:44 -- Vladimir B. Grebenschikov vova@fbsd.ru From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 17:55:36 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE486106564A; Mon, 8 Sep 2008 17:55:36 +0000 (UTC) (envelope-from oleg@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A9C3F8FC08; Mon, 8 Sep 2008 17:55:36 +0000 (UTC) (envelope-from oleg@FreeBSD.org) Received: from freefall.freebsd.org (oleg@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m88Htasw029435; Mon, 8 Sep 2008 17:55:36 GMT (envelope-from oleg@freefall.freebsd.org) Received: (from oleg@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m88HtabS029431; Mon, 8 Sep 2008 17:55:36 GMT (envelope-from oleg) Date: Mon, 8 Sep 2008 17:55:36 GMT Message-Id: <200809081755.m88HtabS029431@freefall.freebsd.org> To: oleg@FreeBSD.org, freebsd-net@FreeBSD.org, oleg@FreeBSD.org From: oleg@FreeBSD.org Cc: Subject: Re: kern/122295: [bge] bge Ierr rate increase (since 6.0R) [regression] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 17:55:36 -0000 Synopsis: [bge] bge Ierr rate increase (since 6.0R) [regression] Responsible-Changed-From-To: freebsd-net->oleg Responsible-Changed-By: oleg Responsible-Changed-When: Mon Sep 8 17:54:39 UTC 2008 Responsible-Changed-Why: grab. http://www.freebsd.org/cgi/query-pr.cgi?pr=122295 From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 20:00:20 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BF8D1065675 for ; Mon, 8 Sep 2008 20:00:20 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from yx-out-2324.google.com (yx-out-2324.google.com [74.125.44.28]) by mx1.freebsd.org (Postfix) with ESMTP id 9DEE08FC1D for ; Mon, 8 Sep 2008 20:00:19 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: by yx-out-2324.google.com with SMTP id 8so928260yxb.13 for ; Mon, 08 Sep 2008 13:00:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=QBKf2QgVM75q2kceov+9Y82Q9VGAf9xU6vSBxMjizJg=; b=Mse5eRQPQ5mWuXWhFj7+hiAxNA041ySDKG1hjX5vDK/lG4DJ7iOtzkGBrD4dplYT/e uLNF9DW5QRed+rmu5eMPUqYbcrBT1XDWvJ5Mg3LKZKAON24+YkHQyJe6O20eITU77u+r Ocis25trv4eyAvbOPyvBvdgA9CtB8ARJfAuAI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=g/etNU+HBqtR44m1TO1bgkpFRo0J/g5LwxrfASaWtzL49L2LGpUx6wULx0CgbqF5wO 8PJ5uO1T45NGsX86G4jyRKoLZOE/3veyp7dke0jcU5oXRF4PZlt+iDQXc44jfqWoc8F8 gqu+79Tm2/LG1cBvgKICVecI3YVB/Hw7VC97U= Received: by 10.103.18.19 with SMTP id v19mr10495306mui.113.1220902244727; Mon, 08 Sep 2008 12:30:44 -0700 (PDT) Received: from localhost ( [79.133.234.140]) by mx.google.com with ESMTPS id j10sm6943795muh.1.2008.09.08.12.30.39 (version=SSLv3 cipher=RC4-MD5); Mon, 08 Sep 2008 12:30:43 -0700 (PDT) Date: Mon, 8 Sep 2008 22:30:21 +0300 From: Gleb Kurtsou To: freebsd-net@freebsd.org Message-ID: <20080908193020.GA37900@rybacik> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Cc: Max Laier , Brooks Davis , Andrew Thompson Subject: [patch] gsoc project: improving layer2 filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 20:00:20 -0000 --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=utf-8 Content-Disposition: inline [Max Laier and Brooks Davis CCed as suggested by Andrew Thompson] This summer I was working on improving layer2 filtering (my mentor is Andrew Thompson) as a google summer of code project. The project was successfully completed. I'd like to ask for a public review of the patch attached. To apply patch (against -CURRENT): cd /usr/src; patch -p0 < gk_l2filter.patch Note, that the patch is not so clean: style(9) issues, stale comments, some inaccurate variable names, etc. But is should be just fine for a general review. I'd like to continue working further to improve it, if community is interested and if there is possibility for it to get commited. I would appreciate any comments and suggestions. Some additional details and examples of new functionality can be found on my blog: http://blogs.freebsdish.org/gleb/ Project's perforce repository: http://perforce.freebsd.org/changeList.cgi?CMD=changes&FSPC=//depot/projects/soc2008/gk%5fl2filter/... To sum it up, following project goals were achieved (old todo list): general: * Implement pfil hooks for filtering ethernet packets * Add mtag containing source and destination layer2 addresses to every mbuf * Add per interface flags: l2filter, l2tag ipfw: * Update ipfw layer2 not to touch ip headers, but to use mentioned mtags to do MAC-IP filtering * Add src-ether and dst-ether ipfw options * Support mac addresses in ipfw lookup tables * Stateful filtering by mac addresses * Implement ARP filtering options * Update documentation pf: * Add stateful filtering against mac addresses. Make it part of present layer3 stateful filtering. * Extend pf's tables facility to contain layer2 address apart with layer3 address. * Support in userspace (pf.conf, pfctl). * Update documentation --4Ckj6UjgE2iN1+kY Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="gk_l2filter.patch" diff -urN -x .hg -x .svn ../my/contrib/pf/man/pf.conf.5 ./contrib/pf/man/pf.conf.5 --- ../my/contrib/pf/man/pf.conf.5 2008-09-07 19:05:35.000000000 +0300 +++ ./contrib/pf/man/pf.conf.5 2008-09-07 22:24:44.000000000 +0300 @@ -123,6 +123,7 @@ rules and in the routing options of filter rules, but only for .Ar round-robin pools. +Table entry can contain optional ethernet address (MAC address). .Pp Tables can be defined with any of the following .Xr pfctl 8 @@ -1485,6 +1486,10 @@ This is especially useful with .Ar nat . .Pp +Optional ethernet address (MAC address) can be assigned to addresses +specified in CIDR notation (matching netblocks), as symbolic host names or +interface names. +.Pp Ports can be specified either by number or by name. For example, port 80 can be specified as .Em www . @@ -2044,6 +2049,10 @@ must be specified explicitly to apply options to a rule. .Pp .Bl -tag -width xxxx -compact +.It Ar ether +Enable layer 2 stateful filtering for a rule. +Source and destination ethernet addresses (MAC addresses) are used to +create a state entry and to check if packet matches any state entry. .It Ar max Aq Ar number Limits the number of concurrent states the rule may create. When this limit is reached, further packets matching the rule that would @@ -2735,6 +2744,9 @@ block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e to any port smtp +pass in on $bridge_if proto tcp from 10.1.1.1 ether 00:11:11:11:11:11 \e + to ($int_if) ether 00:22:22:22:22:22 keep state (ether) + # IPv6 # pass in/out all IPv6 traffic: note that we have to enable this in two # different ways, on both our physical interface and our tunnel @@ -2835,7 +2847,7 @@ tableopts = "persist" | "const" | "file" string | "{" [ tableaddr-list ] "}" tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec -tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] +tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] [ "ether" ether-addr ] tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex | interface-name | "self" @@ -2890,7 +2902,7 @@ redirhost = address [ "/" mask-bits ] routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" address = ( interface-name | "(" interface-name ")" | hostname | - ipv4-dotted-quad | ipv6-coloned-hex ) + ipv4-dotted-quad | ipv6-coloned-hex ) [ "ether" ether-addr ] host-list = host [ [ "," ] host-list ] redirhost-list = redirhost [ [ "," ] redirhost-list ] routehost-list = routehost [ [ "," ] routehost-list ] @@ -2923,7 +2935,7 @@ [ "0x" ] number ) state-opts = state-opt [ [ "," ] state-opts ] -state-opt = ( "max" number | "no-sync" | timeout | +state-opt = ( "ether" | "max" number | "no-sync" | timeout | "source-track" [ ( "rule" | "global" ) ] | "max-src-nodes" number | "max-src-states" number | "max-src-conn" number | diff -urN -x .hg -x .svn ../my/contrib/pf/pfctl/parse.y ./contrib/pf/pfctl/parse.y --- ../my/contrib/pf/pfctl/parse.y 2008-09-07 19:05:35.000000000 +0300 +++ ./contrib/pf/pfctl/parse.y 2008-09-07 22:24:43.000000000 +0300 @@ -128,7 +128,7 @@ PF_STATE_OPT_MAX_SRC_STATES, PF_STATE_OPT_MAX_SRC_CONN, PF_STATE_OPT_MAX_SRC_CONN_RATE, PF_STATE_OPT_MAX_SRC_NODES, PF_STATE_OPT_OVERLOAD, PF_STATE_OPT_STATELOCK, - PF_STATE_OPT_TIMEOUT }; + PF_STATE_OPT_TIMEOUT, PF_STATE_OPT_ETHER }; enum { PF_SRCTRACK_NONE, PF_SRCTRACK, PF_SRCTRACK_GLOBAL, PF_SRCTRACK_RULE }; @@ -409,7 +409,7 @@ %} -%token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS +%token PASS BLOCK SCRUB RETURN IN OS OUT LOG QUICK ON ETHER FROM TO FLAGS %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE %token ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF %token MINTTL ERROR ALLOWOPTS FASTROUTE FILENAME ROUTETO DUPTO REPLYTO NO LABEL @@ -442,7 +442,7 @@ %type icmp6_list icmp6_item %type fromto %type ipportspec from to -%type ipspec xhost host dynaddr host_list +%type ipspec ether xhost host dynaddr host_list %type redir_host_list redirspec %type route_host route_host_list routespec %type os xos os_list @@ -1906,6 +1906,10 @@ } r.timeout[o->data.timeout.number] = o->data.timeout.seconds; + break; + case PF_STATE_OPT_ETHER: + r.rule_flag |= PFRULE_ETHERSTATE; + break; } o = o->next; free(p); @@ -2471,12 +2475,38 @@ } ; -xhost : not host { +ether : /* empty */ { $$ = NULL; } + | ETHER ANY { $$ = NULL; } + | ETHER STRING { + $$ = host_ether($2); + free($2); + if ($$ == NULL) { + YYERROR; + } + } + ; + +xhost : not host ether { struct node_host *n; for (n = $2; n != NULL; n = n->next) n->not = $1; $$ = $2; + if ($3) { + for (n = $$; n != NULL; n = n->next) { + if (n->addr.type != PF_ADDR_ADDRMASK && + n->addr.type != PF_ADDR_DYNIFTL) { + yyerror("ethernet address can be specified only for host or interface name"); + free($3); + $3 = NULL; + YYERROR; + } else { + n->addr.addr_ether = $3->addr.addr_ether; + } + } + if ($3) + free($3); + } } | not NOROUTE { $$ = calloc(1, sizeof(struct node_host)); @@ -3198,6 +3228,14 @@ $$->next = NULL; $$->tail = $$; } + | ETHER { + $$ = calloc(1, sizeof(struct node_state_opt)); + if ($$ == NULL) + err(1, "state_opt_item: calloc"); + $$->type = PF_STATE_OPT_ETHER; + $$->next = NULL; + $$->tail = $$; + } | sourcetrack { $$ = calloc(1, sizeof(struct node_state_opt)); if ($$ == NULL) @@ -4894,6 +4932,7 @@ { "drop", DROP}, { "drop-ovl", FRAGDROP}, { "dup-to", DUPTO}, + { "ether", ETHER}, { "fastroute", FASTROUTE}, { "file", FILENAME}, { "fingerprints", FINGERPRINTS}, diff -urN -x .hg -x .svn ../my/contrib/pf/pfctl/pf_print_state.c ./contrib/pf/pfctl/pf_print_state.c --- ../my/contrib/pf/pfctl/pf_print_state.c 2008-09-07 19:05:35.000000000 +0300 +++ ./contrib/pf/pfctl/pf_print_state.c 2008-09-07 22:24:44.000000000 +0300 @@ -119,6 +119,26 @@ if (bits != (af == AF_INET ? 32 : 128)) printf("/%d", bits); } + + putchar(' '); + print_addr_ether(&addr->addr_ether, 0); +} + +void +print_addr_ether(struct pf_addr_ether *addr, int verbose) +{ + if ((addr->flags & PFAE_CHECK) == 0) { + if (verbose) + printf("ether any"); + return; + } + if (addr->flags & PFAE_MULTICAST) { + printf("ether multicast"); + } else { + u_int8_t *ea = addr->octet; + printf("ether %02x:%02x:%02x:%02x:%02x:%02x", + ea[0], ea[1], ea[2], ea[3], ea[4], ea[5]); + } } void @@ -299,6 +319,28 @@ if (s->nat_src_node != NULL) printf(", sticky-address"); printf("\n"); + if (s->local_flags & PFSTATE_ETHER) { + int left_printed = 0; + + printf(" "); + if (s->lan.addr_ether.flags & PFAE_CHECK) { + print_addr_ether(&s->lan.addr_ether, 1); + if (s->direction == PF_OUT) + printf(" -> "); + else + printf(" <- "); + left_printed = 1; + } + if (!left_printed || (s->gwy.addr_ether.flags & PFAE_CHECK)) { + print_addr_ether(&s->gwy.addr_ether, 1); + if (s->direction == PF_OUT) + printf(" -> "); + else + printf(" <- "); + } + print_addr_ether(&s->ext.addr_ether, 1); + printf("\n"); + } } if (opts & PF_OPT_VERBOSE2) { printf(" id: %016llx creatorid: %08x%s\n", diff -urN -x .hg -x .svn ../my/contrib/pf/pfctl/pfctl.c ./contrib/pf/pfctl/pfctl.c --- ../my/contrib/pf/pfctl/pfctl.c 2008-09-07 19:05:35.000000000 +0300 +++ ./contrib/pf/pfctl/pfctl.c 2008-09-07 22:24:44.000000000 +0300 @@ -1902,8 +1902,8 @@ if (ioctl(dev, DIOCGETALTQS, &pa)) { if (errno == ENODEV) { - if (!(opts & PF_OPT_QUIET)) - fprintf(stderr, "No ALTQ support in kernel\n" + if (opts & PF_OPT_VERBOSE) + fprintf(stderr, "No ALTQ support in kernel. " "ALTQ related functions disabled\n"); return (0); } else diff -urN -x .hg -x .svn ../my/contrib/pf/pfctl/pfctl.h ./contrib/pf/pfctl/pfctl.h --- ../my/contrib/pf/pfctl/pfctl.h 2008-09-07 19:05:35.000000000 +0300 +++ ./contrib/pf/pfctl/pfctl.h 2008-09-07 22:24:44.000000000 +0300 @@ -117,6 +117,7 @@ char *rate2str(double); void print_addr(struct pf_addr_wrap *, sa_family_t, int); +void print_addr_ether(struct pf_addr_ether *, int); void print_host(struct pf_state_host *, sa_family_t, int); void print_seq(struct pf_state_peer *); void print_state(struct pf_state *, int); diff -urN -x .hg -x .svn ../my/contrib/pf/pfctl/pfctl_parser.c ./contrib/pf/pfctl/pfctl_parser.c --- ../my/contrib/pf/pfctl/pfctl_parser.c 2008-09-07 19:05:36.000000000 +0300 +++ ./contrib/pf/pfctl/pfctl_parser.c 2008-09-07 22:24:44.000000000 +0300 @@ -46,6 +46,7 @@ #include #include #include +#include #include #include @@ -876,6 +877,8 @@ for (i = 0; !opts && i < PFTM_MAX; ++i) if (r->timeout[i]) opts = 1; + if (r->rule_flag & PFRULE_ETHERSTATE) + opts = 1; if (opts) { printf(" ("); if (r->max_states) { @@ -954,6 +957,12 @@ "inv.timeout" : pf_timeouts[j].name, r->timeout[i]); } + if (r->rule_flag & PFRULE_ETHERSTATE) { + if (!opts) + printf(", "); + printf("ether"); + opts = 0; + } printf(")"); } if (r->rule_flag & PFRULE_FRAGMENT) @@ -1419,6 +1428,35 @@ } struct node_host * +host_ether(const char *s) +{ + struct pf_addr_ether *addr; + struct node_host *h = NULL; + + if (strcmp(s, "any") == 0) { + return (NULL); + } + + h = calloc(1, sizeof(*h)); + if (h == NULL) + err(1, "host_ether: malloc"); + addr = &h->addr.addr_ether; + + if (strcmp(s, "multicast") == 0) { + addr->flags = PFAE_CHECK | PFAE_MULTICAST; + return (h); + } + if (!ether_aton_r(s, (struct ether_addr*)addr->octet)) { + fprintf(stderr, "can't parse ethernet address: %s\n", s); + free(h); + return (NULL); + } + addr->flags = PFAE_CHECK; + + return (h); +} + +struct node_host * host_if(const char *s, int mask) { struct node_host *n, *h = NULL; @@ -1606,16 +1644,39 @@ int append_addr(struct pfr_buffer *b, char *s, int test) { - char *r; + char *r, *rs, *p; struct node_host *h, *n; + struct pf_addr_ether addr_ether; int rv, not = 0; for (r = s; *r == '!'; r++) not = !not; - if ((n = host(r)) == NULL) { + if ((rs = strdup(r)) == NULL) + err(1, "append_addr: strdup"); + bzero(&addr_ether, sizeof (addr_ether)); + if ((p = strstr(rs, "ether")) != NULL) { + char *s_ether = p + strlen("ether"); + if (p > rs && isspace(*(p - 1)) && isspace(*s_ether++)) { + while (isspace(*s_ether)) + s_ether++; + h = host_ether(s_ether); + if (h) { + addr_ether = h->addr.addr_ether; + free(h); + h = NULL; + } + for (p--; p >= rs && isspace(*p); p--) + *p = '\0'; + } + } + if ((n = host(rs)) == NULL) { errno = 0; return (-1); } + for (h = n; h != NULL; h = h->next) + h->addr.addr_ether = addr_ether; + h = NULL; + free(rs); rv = append_addr_host(b, n, test, not); do { h = n; @@ -1661,6 +1722,7 @@ errno = EINVAL; return (-1); } + addr.pfra_ether = n->addr.addr_ether; if (pfr_buf_add(b, &addr)) return (-1); } while ((n = n->next) != NULL); diff -urN -x .hg -x .svn ../my/contrib/pf/pfctl/pfctl_parser.h ./contrib/pf/pfctl/pfctl_parser.h --- ../my/contrib/pf/pfctl/pfctl_parser.h 2008-09-07 19:05:36.000000000 +0300 +++ ./contrib/pf/pfctl/pfctl_parser.h 2008-09-07 22:24:44.000000000 +0300 @@ -296,6 +296,7 @@ struct node_host *ifa_exists(const char *); struct node_host *ifa_lookup(const char *, int); struct node_host *host(const char *); +struct node_host *host_ether(const char *); int append_addr(struct pfr_buffer *, char *, int); int append_addr_host(struct pfr_buffer *, diff -urN -x .hg -x .svn ../my/contrib/pf/pfctl/pfctl_radix.c ./contrib/pf/pfctl/pfctl_radix.c --- ../my/contrib/pf/pfctl/pfctl_radix.c 2008-09-07 19:05:36.000000000 +0300 +++ ./contrib/pf/pfctl/pfctl_radix.c 2008-09-07 22:24:44.000000000 +0300 @@ -607,12 +607,20 @@ do { if (i < BUF_SIZE) buf[i++] = next_ch; - next_ch = fgetc(fp); - } while (!feof(fp) && !isspace(next_ch)); + /* leave only 1 space */ + if (isspace(next_ch)) { + while (isspace(next_ch) && next_ch != '\n' && !feof(fp)) + next_ch = fgetc(fp); + } else { + next_ch = fgetc(fp); + } + } while (!feof(fp) && next_ch != '\n'); if (i >= BUF_SIZE) { errno = EINVAL; return (-1); } + if (i > 0 && isspace(buf[i-1])) + i--; buf[i] = '\0'; return (1); } diff -urN -x .hg -x .svn ../my/contrib/pf/pfctl/pfctl_table.c ./contrib/pf/pfctl/pfctl_table.c --- ../my/contrib/pf/pfctl/pfctl_table.c 2008-09-07 19:05:36.000000000 +0300 +++ ./contrib/pf/pfctl/pfctl_table.c 2008-09-07 22:24:44.000000000 +0300 @@ -438,6 +438,8 @@ printf("%c %c%s", ch, (ad->pfra_not?'!':' '), buf); if (ad->pfra_net < hostnet) printf("/%d", ad->pfra_net); + putchar(' '); + print_addr_ether(&ad->pfra_ether, 0); if (rad != NULL && fback != PFR_FB_NONE) { if (strlcpy(buf, "{error}", sizeof(buf)) >= sizeof(buf)) errx(1, "print_addrx: strlcpy"); diff -urN -x .hg -x .svn ../my/sbin/ifconfig/ifconfig.8 ./sbin/ifconfig/ifconfig.8 --- ../my/sbin/ifconfig/ifconfig.8 2008-09-07 19:10:19.000000000 +0300 +++ ./sbin/ifconfig/ifconfig.8 2008-09-07 22:24:43.000000000 +0300 @@ -240,6 +240,27 @@ If the Address Resolution Protocol is enabled, the host will perform normally, sending out requests and listening for replies. +.It Cm l2tag +Special tag containing source and destination layer 2 addresses will be +attached to every packet passing through interface. +Note that only incoming or outgoing packets may be tagged (but not both), it is +interface dependant. +.It Fl l2tag +Disable special packet tagging with layer 2 addresses. +.It Cm l2filter +Perform layer 2 filtering of packets passing through interface. +This option doesn't imply +.Cm l2tag +option. +With +.Cm l2filter +specified packets are passed to firewall as they were received from wire. +But +.Cm l2tag +just tags packet and usual layer 3 filtering is performed. +.It Fl l2filter +Disable layer 2 filtering. +Higher level filtering will perform normally. .It Cm broadcast (Inet only.) Specify the address to use to represent broadcasts to the diff -urN -x .hg -x .svn ../my/sbin/ifconfig/ifconfig.c ./sbin/ifconfig/ifconfig.c --- ../my/sbin/ifconfig/ifconfig.c 2008-09-07 19:10:19.000000000 +0300 +++ ./sbin/ifconfig/ifconfig.c 2008-09-07 22:24:43.000000000 +0300 @@ -772,7 +772,7 @@ #define IFFBITS \ "\020\1UP\2BROADCAST\3DEBUG\4LOOPBACK\5POINTOPOINT\6SMART\7RUNNING" \ "\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX\15LINK0\16LINK1\17LINK2" \ -"\20MULTICAST\22PPROMISC\23MONITOR\24STATICARP\25NEEDSGIANT" +"\20MULTICAST\22PPROMISC\23MONITOR\24STATICARP\25NEEDSGIANT\26L2FILTER\27L2TAG" #define IFCAPBITS \ "\020\1RXCSUM\2TXCSUM\3NETCONS\4VLAN_MTU\5VLAN_HWTAGGING\6JUMBO_MTU\7POLLING" \ @@ -1010,6 +1010,10 @@ DEF_CMD("-monitor", -IFF_MONITOR, setifflags), DEF_CMD("staticarp", IFF_STATICARP, setifflags), DEF_CMD("-staticarp", -IFF_STATICARP, setifflags), + DEF_CMD("l2filter", IFF_L2FILTER, setifflags), + DEF_CMD("-l2filter", -IFF_L2FILTER, setifflags), + DEF_CMD("l2tag", IFF_L2TAG, setifflags), + DEF_CMD("-l2tag", -IFF_L2TAG, setifflags), DEF_CMD("rxcsum", IFCAP_RXCSUM, setifcap), DEF_CMD("-rxcsum", -IFCAP_RXCSUM, setifcap), DEF_CMD("txcsum", IFCAP_TXCSUM, setifcap), diff -urN -x .hg -x .svn ../my/sbin/ipfw/ipfw.8 ./sbin/ipfw/ipfw.8 --- ../my/sbin/ipfw/ipfw.8 2008-09-07 19:10:21.000000000 +0300 +++ ./sbin/ipfw/ipfw.8 2008-09-07 22:24:43.000000000 +0300 @@ -45,7 +45,7 @@ .Cm set show .Pp .Nm -.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Op Ar value +.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Oo Cm ether Ar etheraddr Oc Op Ar value .Nm .Cm table Ar number Cm delete Ar addr Ns Op / Ns Ar masklen .Nm @@ -332,9 +332,9 @@ to temporarily disable the firewall to regain access to the network, allowing you to fix the problem. .Sh PACKET FLOW -A packet is checked against the active ruleset in multiple places -in the protocol stack, under control of several sysctl variables. -These places and variables are shown below, and it is important to +A packet is checked against the active ruleset in multiple places in the +protocol stack, under control of several sysctl variables and interface flags. +These places and variables and flags are shown below, and it is important to have this picture in mind in order to design a correct ruleset. .Bd -literal -offset indent ^ to upper layers V @@ -342,11 +342,12 @@ +----------->-----------+ ^ V [ip(6)_input] [ip(6)_output] net.inet(6).ip(6).fw.enable=1 + | | (l2tag interface flag) | | ^ V - [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 + [ether_demux] [ether_output_frame] l2filter interface flag | | - +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1 + +-->----[bridge]----->--+ l2filter interface flag ^ V | to devices | .Ed @@ -370,13 +371,39 @@ or .Cm ip6_input() . .Pp +Note that packets do +.Em not +contain IP header when invoked from +.Cm ether_demux() , ether_output_frame() +or +.Cm bridge . +.Pp +In order to filter by both MAC and IP headers interface flag +.Cm l2tag +should be used. +When enabled a special tag containing MAC header is appended to incoming +packets. Tag is used when +.Nm +invoked from +.Cm ip_input() +or +.Cm ip6_input() . +Note that as a rule only incoming packets are tagged, but +.Cm bridge +appends tag to outgoing packets too. +Therefore dynamic rules (like rules created by +.Cm keep-state +option) do not check specified MAC header options if there is no +.Cm l2tag +tag appended to packet. +.Pp Also note that each packet is always checked against the complete ruleset, irrespective of the place where the check occurs, or the source of the packet. If a rule contains some match patterns or actions which are not valid for the place of invocation (e.g.\& trying to match a MAC header within .Cm ip_input or -.Cm ip6_input ), +.Cm ip6_input ) Ns , the match pattern will not match, but a .Cm not operator in front of such patterns @@ -390,7 +417,7 @@ .Cm skipto rules can be useful here, as an example: .Bd -literal -offset indent -# packets from ether_demux or bdg_forward +# packets from ether_demux or bridge ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in @@ -401,7 +428,7 @@ .Ed .Pp (yes, at the moment there is no way to differentiate between -ether_demux and bdg_forward). +ether_demux and bridge). .Sh SYNTAX In general, each keyword or argument must be provided as a separate command line argument, with no leading or trailing @@ -1119,6 +1146,19 @@ You can have comment-only rules, which are listed as having a .Cm count action followed by the comment. +.It Cm arp-op Ar arp-op +Matches Address Resolution Protocol (ARP) packets whose +.Em Operation +field corresponds to one of those specified as argument. +.Ar arp-op +is specified in the same way as port numbers (i.e., one or more +comma-separated single values or ranges). You can use symbolic names +for known values such as +.Em request , reply , rev_request , rev_reply , inv_request , inv_reply . +Values can be entered as decimal or hexadecimal (if prefixed by 0x), and +they are always printed as hexadecimal (unless the +.Cm -N +option is used, in which case symbolic resolution will be attempted). .It Cm bridged Alias for .Cm layer2 . @@ -1130,6 +1170,25 @@ .It Cm diverted-output Matches only packets going from a divert socket back outward to the IP stack output for delivery. +.It Cm dst-arp Ar dst-arp +Matches Address Resolution Protocol (ARP) packets whose +.Em Target protocol address (TPA) +and optionally +.Em Target hardware address (THA) +fields correspond to entry in the lookup table +.Ar dst-arp . +See the +.Sx LOOKUP TABLES +section below for more information on lookup tables. +.It Cm dst-ether Ar dst-ether +Match packets with a given destination MAC address +.Ar dst-ether Ns , +specified as the +.Cm any +keyword (matching any MAC address), +.Cm muticast +keyword (matching multicast MAC addresses), or six groups of hex digits +separated by colons. .It Cm dst-ip Ar ip-address Matches IPv4 packets whose destination IP is one of the address(es) specified as argument. @@ -1141,6 +1200,19 @@ specified as argument. .It Cm established Matches TCP packets that have the RST or ACK bits set. +.It Cm ether-type Ar ether-type +Matches packets whose Ethernet Type field +corresponds to one of those specified as argument. +.Ar ether-type +is specified in the same way as +.Cm port numbers +(i.e., one or more comma-separated single values or ranges). +You can use symbolic names for known values such as +.Em vlan , ipv4, ipv6 . +Values can be entered as decimal or hexadecimal (if prefixed by 0x), +and they are always printed as hexadecimal (unless the +.Cm -N +option is used, in which case symbolic resolution will be attempted). .It Cm ext6hdr Ar header Matches IPv6 packets containing the extended header given by .Ar header . @@ -1345,57 +1417,6 @@ specified. Currently, only IPv4 flows are supported. -.It Cm { MAC | mac } Ar dst-mac src-mac -Match packets with a given -.Ar dst-mac -and -.Ar src-mac -addresses, specified as the -.Cm any -keyword (matching any MAC address), or six groups of hex digits -separated by colons, -and optionally followed by a mask indicating the significant bits. -The mask may be specified using either of the following methods: -.Bl -enum -width indent -.It -A slash -.Pq / -followed by the number of significant bits. -For example, an address with 33 significant bits could be specified as: -.Pp -.Dl "MAC 10:20:30:40:50:60/33 any" -.Pp -.It -An ampersand -.Pq & -followed by a bitmask specified as six groups of hex digits separated -by colons. -For example, an address in which the last 16 bits are significant could -be specified as: -.Pp -.Dl "MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any" -.Pp -Note that the ampersand character has a special meaning in many shells -and should generally be escaped. -.Pp -.El -Note that the order of MAC addresses (destination first, -source second) is -the same as on the wire, but the opposite of the one used for -IP addresses. -.It Cm mac-type Ar mac-type -Matches packets whose Ethernet Type field -corresponds to one of those specified as argument. -.Ar mac-type -is specified in the same way as -.Cm port numbers -(i.e., one or more comma-separated single values or ranges). -You can use symbolic names for known values such as -.Em vlan , ipv4, ipv6 . -Values can be entered as decimal or hexadecimal (if prefixed by 0x), -and they are always printed as hexadecimal (unless the -.Cm -N -option is used, in which case symbolic resolution will be attempted). .It Cm proto Ar protocol Matches packets with the corresponding IP protocol. .It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any @@ -1444,6 +1465,40 @@ Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of .Dq Li tcpflags\ syn,!ack . +.It Cm state-options Ar spec +Specifies options for dynamic rule creation by +.Cm keep-state +or +.Cm limit . +.Ar spec +is comma separated list of options. +The supported options are: +.Bl -tag -width xxxxxxxx -compact +.It Cm ether +Enable layer 2 stateful filtering for a rule. +Source and destination ethernet addresses (MAC addresses) are used to +create a state entry (dynamic rule) and to check if packet matches any +state entry. +.El +.It Cm src-arp Ar src-arp +Matches Address Resolution Protocol (ARP) packets whose +.Em Sender protocol address (SPA) +and optionally +.Em Sender hardware address (SHA) +fields correspond to entry in the lookup table +.Ar src-arp . +See the +.Sx LOOKUP TABLES +section below for more information on lookup tables. +.It Cm src-ether Ar src-ether +Match packets with a given source MAC address +.Ar src-ether Ns , +specified as the +.Cm any +keyword (matching any MAC address), +.Cm muticast +keyword (matching multicast MAC addresses), or six groups of hex digits +separated by colons. .It Cm src-ip Ar ip-address Matches IPv4 packets whose source IP is one of the address(es) specified as an argument. @@ -1600,6 +1655,8 @@ is not specified, it defaults to 32. When looking up an IP address in a table, the most specific entry will match. +Optionally each entry specifies MAC address +.Pq Cm ether Ar etheraddr Ns . Associated with each entry is a 32-bit unsigned .Ar value , which can optionally be checked by a rule matching code. @@ -1733,6 +1790,13 @@ .Em dst are used here only to denote the initial match addresses, but they are completely equivalent afterwards). +If rule specifies ethernet source or destination address it is also used +by dynamic rule to match packets. +But note that packets without +.Cm l2tag +appended to them match against such dynamic rules, because +.Cm l2tag +usually presents only in incoming or outgoing packets, but not in both. Dynamic rules will be checked at the first .Cm check-state, keep-state or diff -urN -x .hg -x .svn ../my/sbin/ipfw/ipfw2.c ./sbin/ipfw/ipfw2.c --- ../my/sbin/ipfw/ipfw2.c 2008-09-07 19:10:21.000000000 +0300 +++ ./sbin/ipfw/ipfw2.c 2008-09-07 22:24:43.000000000 +0300 @@ -52,6 +52,7 @@ #include #include #include +#include #include #include /* def. of struct route */ #include @@ -188,6 +189,11 @@ { NULL, 0 } }; +static struct _s_x f_stateopts[] = { + { "ether", IP_FW_STATEOPT_ETHER}, + { NULL, 0 } +}; + static struct _s_x limit_masks[] = { {"all", DYN_SRC_ADDR|DYN_SRC_PORT|DYN_DST_ADDR|DYN_DST_PORT}, {"src-addr", DYN_SRC_ADDR}, @@ -202,6 +208,7 @@ * This is only used in this code. */ #define IPPROTO_ETHERTYPE 0x1000 +#define IPPROTO_ARPOP 0x1001 static struct _s_x ether_types[] = { /* * Note, we cannot use "-:&/" in the names because they are field @@ -229,6 +236,15 @@ { "ns", 0x0600 }, { NULL, 0 } }; +static struct _s_x arp_ops[] = { + { "request", ARPOP_REQUEST }, + { "reply", ARPOP_REPLY }, + { "rev_request", ARPOP_REVREQUEST }, + { "rev_reply", ARPOP_REVREPLY }, + { "inv_request", ARPOP_INVREQUEST }, + { "inv_reply", ARPOP_INVREPLY }, + { NULL, 0 } +}; static void show_usage(void); @@ -294,8 +310,10 @@ TOK_TCPACK, TOK_TCPWIN, TOK_ICMPTYPES, - TOK_MAC, - TOK_MACTYPE, + TOK_ETHER, + TOK_ETHER_SRC, + TOK_ETHER_DST, + TOK_ETHER_TYPE, TOK_VERREVPATH, TOK_VERSRCREACH, TOK_ANTISPOOF, @@ -344,6 +362,12 @@ TOK_FIB, TOK_SETFIB, + + TOK_STATEOPTS, + + TOK_ARP_OP, + TOK_ARP_SRC, + TOK_ARP_DST, }; struct _s_x dummynet_params[] = { @@ -475,9 +499,13 @@ { "dst-port", TOK_DSTPORT }, { "src-port", TOK_SRCPORT }, { "proto", TOK_PROTO }, - { "MAC", TOK_MAC }, - { "mac", TOK_MAC }, - { "mac-type", TOK_MACTYPE }, + { "MAC", TOK_ETHER }, + { "mac", TOK_ETHER }, + { "ether", TOK_ETHER }, + { "src-ether", TOK_ETHER_SRC }, + { "dst-ether", TOK_ETHER_DST }, + { "mac-type", TOK_ETHER_TYPE }, + { "ether-type", TOK_ETHER_TYPE }, { "verrevpath", TOK_VERREVPATH }, { "versrcreach", TOK_VERSRCREACH }, { "antispoof", TOK_ANTISPOOF }, @@ -494,6 +522,11 @@ { "dst-ip6", TOK_DSTIP6}, { "src-ipv6", TOK_SRCIP6}, { "src-ip6", TOK_SRCIP6}, + { "state-options", TOK_STATEOPTS }, + { "state-opts", TOK_STATEOPTS }, + { "arp-op", TOK_ARP_OP}, + { "src-arp", TOK_ARP_SRC}, + { "dst-arp", TOK_ARP_DST}, { "//", TOK_COMMENT }, { "not", TOK_NOT }, /* pseudo option */ @@ -639,6 +672,13 @@ printf("%s", s); else printf("0x%04x", port); + } else if (proto == IPPROTO_ARPOP) { + char const *s; + + if (do_resolv && (s = match_value(arp_ops, port)) ) + printf("%s", s); + else + printf("0x%04x", port); } else { struct servent *se = NULL; if (do_resolv) { @@ -659,7 +699,8 @@ {"ipid", O_IPID}, {"iplen", O_IPLEN}, {"ipttl", O_IPTTL}, - {"mac-type", O_MAC_TYPE}, + {"ether-type", O_ETHER_TYPE}, + {"arp-op", O_ARP_OP}, {"tcpdatalen", O_TCPDATALEN}, {"tagged", O_TAGGED}, {NULL, 0} @@ -700,6 +741,7 @@ * In particular: * proto == -1 disables the protocol check; * proto == IPPROTO_ETHERTYPE looks up an internal table + * proto == IPPROTO_ARPOP looks up an internal table * proto == matches the values there. * Returns *end == s in case the parameter is not found. */ @@ -743,6 +785,13 @@ *end = s1; return i; } + } else if (proto == IPPROTO_ARPOP) { + i = match_token(arp_ops, buf); + free(buf); + if (i != -1) { /* found */ + *end = s1; + return i; + } } else { struct protoent *pe = NULL; struct servent *se; @@ -1130,24 +1179,19 @@ } /* - * prints a MAC address/mask pair + * prints a ethernet (MAC) address/mask pair */ static void -print_mac(uint8_t *addr, uint8_t *mask) +print_ether(ipfw_ether_addr *addr) { - int l = contigmask(mask, 48); - - if (l == 0) + if ((addr->flags & IPFW_EA_CHECK) == 0) { printf(" any"); - else { + } else if (addr->flags & IPFW_EA_MULTICAST) { + printf(" multicast"); + } else { + u_char *ea = addr->octet; printf(" %02x:%02x:%02x:%02x:%02x:%02x", - addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]); - if (l == -1) - printf("&%02x:%02x:%02x:%02x:%02x:%02x", - mask[0], mask[1], mask[2], - mask[3], mask[4], mask[5]); - else if (l < 48) - printf("/%d", l); + ea[0], ea[1], ea[2], ea[3], ea[4], ea[5]); } } @@ -1417,7 +1461,7 @@ * The first argument is the list of fields we have, the second is * the list of fields we want to be printed. * - * Special cases if we have provided a MAC header: + * Special cases if we have provided a ethernet header: * + if the rule does not contain IP addresses/ports, do not print them; * + if the rule does not contain an IP proto, print "all" instead of "ip"; * @@ -1807,16 +1851,23 @@ if (cmd->len & F_NOT && cmd->opcode != O_IN) printf(" not"); switch(cmd->opcode) { - case O_MACADDR2: { - ipfw_insn_mac *m = (ipfw_insn_mac *)cmd; + case O_ETHER_SRC: { + ipfw_insn_ether *m = (ipfw_insn_ether *)cmd; - printf(" MAC"); - print_mac(m->addr, m->mask); - print_mac(m->addr + 6, m->mask + 6); + printf(" src-ether"); + print_ether(&m->ether); } break; - case O_MAC_TYPE: + case O_ETHER_DST: { + ipfw_insn_ether *m = (ipfw_insn_ether *)cmd; + + printf(" dst-ether"); + print_ether(&m->ether); + } + break; + + case O_ETHER_TYPE: print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE, cmd->opcode); break; @@ -1830,6 +1881,21 @@ printf(" fib %u", cmd->arg1 ); break; + case O_ARP_OP: + print_newports((ipfw_insn_u16 *)cmd, + IPPROTO_ARPOP, cmd->opcode); + break; + + case O_ARP_SRC_LOOKUP: + case O_ARP_DST_LOOKUP: + printf(" %s-arp table(%u", + cmd->opcode == O_ARP_DST_LOOKUP ? "dst" : "src", + ((ipfw_insn *)cmd)->arg1); + if (F_LEN((ipfw_insn *)cmd) == F_INSN_SIZE(ipfw_insn_u32)) + printf(",%u", *((ipfw_insn_u32 *)cmd)->d); + printf(")"); + break; + case O_IN: printf(cmd->len & F_NOT ? " out" : " in"); break; @@ -1997,6 +2063,10 @@ comment = (char *)(cmd + 1); break; + case O_STATEOPTS: + print_flags("state-options", cmd, f_stateopts); + break; + case O_KEEP_STATE: printf(" keep-state"); break; @@ -2720,7 +2790,7 @@ " redirect_port linkspec|redirect_proto linkspec}\n" "set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n" "set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n" -"table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n" +"table N {add ip[/bits] [ether ETHERADDR] [value] | delete ip[/bits] | flush | list}\n" "\n" "RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n" "ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n" @@ -2734,17 +2804,20 @@ "IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST }\n" "IP6LIST: { ip6 | ip6/bits }[,IP6LIST]\n" "IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]\n" +"ETHERADDR: { any | multicast | ether }\n" "OPTION_LIST: OPTION [OPTION_LIST]\n" -"OPTION: bridged | diverted | diverted-loopback | diverted-output |\n" +"OPTION: arp-op LIST | bridged | diverted | diverted-loopback |\n" +" {dst-arp|src-arp} table(t[,v]) | diverted-output |\n" " {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n" " {dst-port|src-port} LIST |\n" " estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n" " iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n" " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" " icmp6types LIST | ext6hdr LIST | flow-id N[,N] | fib FIB |\n" -" mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" -" setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" -" tcpdatalen LIST | verrevpath | versrcreach | antispoof\n" +" {src-ether|dst-ether} ETHERADDR | ether-type LIST | proto LIST |\n" +" {recv|xmit|via} {IF|IPADDR} | setup | {tcpack|tcpseq|tcpwin} NN |\n" +" tcpflags SPEC | tcpoptions SPEC | tcpdatalen LIST |\n" +" verrevpath | versrcreach | antispoof\n" ); exit(0); } @@ -4446,50 +4519,27 @@ } static void -get_mac_addr_mask(const char *p, uint8_t *addr, uint8_t *mask) +get_ether_addr(const char *p, ipfw_ether_addr *addr) { int i, l; - char *ap, *ptr, *optr; - struct ether_addr *mac; - const char *macset = "0123456789abcdefABCDEF:"; + struct ether_addr *ether; + const char *etherset = "0123456789abcdefABCDEF:"; + bzero(addr, sizeof(*addr)); if (strcmp(p, "any") == 0) { - for (i = 0; i < ETHER_ADDR_LEN; i++) - addr[i] = mask[i] = 0; return; } - - optr = ptr = strdup(p); - if ((ap = strsep(&ptr, "&/")) != NULL && *ap != 0) { - l = strlen(ap); - if (strspn(ap, macset) != l || (mac = ether_aton(ap)) == NULL) - errx(EX_DATAERR, "Incorrect MAC address"); - bcopy(mac, addr, ETHER_ADDR_LEN); - } else - errx(EX_DATAERR, "Incorrect MAC address"); - - if (ptr != NULL) { /* we have mask? */ - if (p[ptr - optr - 1] == '/') { /* mask len */ - l = strtol(ptr, &ap, 10); - if (*ap != 0 || l > ETHER_ADDR_LEN * 8 || l < 0) - errx(EX_DATAERR, "Incorrect mask length"); - for (i = 0; l > 0 && i < ETHER_ADDR_LEN; l -= 8, i++) - mask[i] = (l >= 8) ? 0xff: (~0) << (8 - l); - } else { /* mask */ - l = strlen(ptr); - if (strspn(ptr, macset) != l || - (mac = ether_aton(ptr)) == NULL) - errx(EX_DATAERR, "Incorrect mask"); - bcopy(mac, mask, ETHER_ADDR_LEN); - } - } else { /* default mask: ff:ff:ff:ff:ff:ff */ - for (i = 0; i < ETHER_ADDR_LEN; i++) - mask[i] = 0xff; + if (strcmp(p, "multicast") == 0) { + addr->flags = IPFW_EA_CHECK | IPFW_EA_MULTICAST; + return; } - for (i = 0; i < ETHER_ADDR_LEN; i++) - addr[i] &= mask[i]; - free(optr); + if (strspn(p, etherset) != strlen(p) || + (ether = ether_aton(p)) == NULL) + errx(EX_DATAERR, "Incorrect ethernet (MAC) address"); + + memcpy(addr->octet, ether, ETHER_ADDR_LEN); + addr->flags = IPFW_EA_CHECK; } /* @@ -4552,31 +4602,44 @@ * two microinstructions, and returns the pointer to the last one. */ static ipfw_insn * -add_mac(ipfw_insn *cmd, int ac, char *av[]) +add_ether(ipfw_insn *cmd, int opcode, char *arg) { - ipfw_insn_mac *mac; + ipfw_insn_ether *ether; - if (ac < 2) - errx(EX_DATAERR, "MAC dst src"); - - cmd->opcode = O_MACADDR2; - cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac); + cmd->opcode = opcode; + cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_ether); - mac = (ipfw_insn_mac *)cmd; - get_mac_addr_mask(av[0], mac->addr, mac->mask); /* dst */ - get_mac_addr_mask(av[1], &(mac->addr[ETHER_ADDR_LEN]), - &(mac->mask[ETHER_ADDR_LEN])); /* src */ + ether = (ipfw_insn_ether *)cmd; + get_ether_addr(arg, ðer->ether); return cmd; } static ipfw_insn * -add_mactype(ipfw_insn *cmd, int ac, char *av) +add_ether_src(ipfw_insn *cmd, int ac, char *av[]) +{ + if (ac < 1) + errx(EX_DATAERR, "src-ether src"); + + return add_ether(cmd, O_ETHER_SRC, av[0]); +} + +static ipfw_insn * +add_ether_dst(ipfw_insn *cmd, int ac, char *av[]) { if (ac < 1) - errx(EX_DATAERR, "missing MAC type"); + errx(EX_DATAERR, "dst-ether dst"); + + return add_ether(cmd, O_ETHER_DST, av[0]); +} + +static ipfw_insn * +add_ethertype(ipfw_insn *cmd, int ac, char *av) +{ + if (ac < 1) + errx(EX_DATAERR, "missing ether-type argument"); if (strcmp(av, "any") != 0) { /* we have a non-null type */ fill_newports((ipfw_insn_u16 *)cmd, av, IPPROTO_ETHERTYPE); - cmd->opcode = O_MAC_TYPE; + cmd->opcode = O_ETHER_TYPE; return cmd; } else return NULL; @@ -5585,16 +5648,31 @@ *av); break; - case TOK_MAC: - if (add_mac(cmd, ac, av)) { - ac -= 2; av += 2; + case TOK_ETHER: + if (ac >= 2 && add_ether_dst(cmd, ac, av)) { + /* + * XXX will not allocate next command here + */ + av[0] = strdup("src-ether"); } break; - case TOK_MACTYPE: - NEED1("missing mac type"); - if (!add_mactype(cmd, ac, *av)) - errx(EX_DATAERR, "invalid mac type %s", *av); + case TOK_ETHER_SRC: + if (add_ether_src(cmd, ac, av)) { + ac--; av++; + } + break; + + case TOK_ETHER_DST: + if (add_ether_dst(cmd, ac, av)) { + ac--; av++; + } + break; + + case TOK_ETHER_TYPE: + NEED1("missing ether type"); + if (!add_ethertype(cmd, ac, *av)) + errx(EX_DATAERR, "invalid ether type %s", *av); ac--; av++; break; @@ -5663,6 +5741,37 @@ ac--; av++; break; + case TOK_ARP_OP: + NEED1("missing arp operation"); + if (strcmp(*av, "any") != 0) { + if (!fill_newports((ipfw_insn_u16 *)cmd, *av, IPPROTO_ARPOP)) + errx(EX_DATAERR, "invalid arp operation %s", *av); + cmd->opcode = O_ARP_OP; + } + ac--; av++; + break; + + case TOK_STATEOPTS: + NEED1("missing argument for state-options"); + fill_flags(cmd, O_STATEOPTS, f_stateopts, *av); + if ((cmd->arg1 >> 8) & 0xff) /* clear flags specified */ + errx(EX_DATAERR, "invalid state-options %s", *av); + ac--; av++; + break; + + case TOK_ARP_SRC: + case TOK_ARP_DST: + NEED1("missing lookup table argument"); + fill_ip((ipfw_insn_ip *)cmd, *av); + if (cmd->opcode != O_IP_DST_LOOKUP) /* table */ + errx(EX_USAGE, "invalid lookup table %s\n", *av); + if (i == TOK_ARP_DST) + cmd->opcode = O_ARP_DST_LOOKUP; + else + cmd->opcode = O_ARP_SRC_LOOKUP; + ac--; av++; + break; + default: errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s); } @@ -5898,6 +6007,11 @@ if (lookup_host(*av, (struct in_addr *)&ent.addr) != 0) errx(EX_NOHOST, "hostname ``%s'' unknown", *av); ac--; av++; + bzero(&ent.ether_addr, sizeof(ent.ether_addr)); + if (do_add && ac >= 2 && strcmp(*av, "ether") == 0) { + get_ether_addr(av[1], &ent.ether_addr); + ac-=2; av+=2; + } if (do_add && ac) { unsigned int tval; /* isdigit is a bit of a hack here.. */ @@ -5946,20 +6060,28 @@ err(EX_OSERR, "getsockopt(IP_FW_TABLE_LIST)"); for (a = 0; a < tbl->cnt; a++) { unsigned int tval; + char tval_buf[128]; + char tether_buf[128]; tval = tbl->ent[a].value; if (do_value_as_ip) { - char tbuf[128]; - strncpy(tbuf, inet_ntoa(*(struct in_addr *) - &tbl->ent[a].addr), 127); /* inet_ntoa expects network order */ tval = htonl(tval); - printf("%s/%u %s\n", tbuf, tbl->ent[a].masklen, - inet_ntoa(*(struct in_addr *)&tval)); + strlcpy(tval_buf, inet_ntoa(*(struct in_addr *) + &tval), sizeof(tval_buf)); + } else { + snprintf(tval_buf, sizeof(tval_buf), "%u", tval); + } + if (tbl->ent[a].ether_addr.flags & IPFW_EA_CHECK) { + uint8_t *x = (uint8_t *)&tbl->ent[a].ether_addr; + snprintf(tether_buf, sizeof(tether_buf), "ether %02x:%02x:%02x:%02x:%02x:%02x ", + x[0], x[1], x[2], x[3], x[4], x[5]); } else { - printf("%s/%u %u\n", - inet_ntoa(*(struct in_addr *)&tbl->ent[a].addr), - tbl->ent[a].masklen, tval); + tether_buf[0] = 0; } + + printf("%s/%u %s%s\n", + inet_ntoa(*(struct in_addr *)&tbl->ent[a].addr), + tbl->ent[a].masklen, tether_buf, tval_buf); } } else errx(EX_USAGE, "invalid table command %s", *av); diff -urN -x .hg -x .svn ../my/share/man/man4/if_bridge.4 ./share/man/man4/if_bridge.4 --- ../my/share/man/man4/if_bridge.4 2008-09-07 19:11:06.000000000 +0300 +++ ./share/man/man4/if_bridge.4 2008-09-07 22:24:44.000000000 +0300 @@ -171,6 +171,14 @@ to only allow IP packets to pass (subject to firewall rules), set to .Li 0 to unconditionally pass all non-IP Ethernet frames. +.It Va net.link.bridge.pfil_layer2_arp +Set to +.Li 1 +to enable layer2 ARP filtering with +.Xr pfil 9 , +set to +.Li 0 +to disable it. .It Va net.link.bridge.pfil_member Set to .Li 1 @@ -192,36 +200,6 @@ Set to .Li 0 to disable this feature. -.It Va net.link.bridge.ipfw -Set to -.Li 1 -to enable layer2 filtering with -.Xr ipfirewall 4 , -set to -.Li 0 -to disable it. -This needs to be enabled for -.Xr dummynet 4 -support. -When -.Va ipfw -is enabled, -.Va pfil_bridge -and -.Va pfil_member -will be disabled so that IPFW -is not run twice; these can be re-enabled if desired. -.It Va net.link.bridge.ipfw_arp -Set to -.Li 1 -to enable layer2 ARP filtering with -.Xr ipfirewall 4 , -set to -.Li 0 -to disable it. -Requires -.Va ipfw -to be enabled. .El .Pp ARP and REVARP packets are forwarded without being filtered and others diff -urN -x .hg -x .svn ../my/sys/contrib/pf/net/pf.c ./sys/contrib/pf/net/pf.c --- ../my/sys/contrib/pf/net/pf.c 2008-09-07 19:12:21.000000000 +0300 +++ ./sys/contrib/pf/net/pf.c 2008-09-07 22:24:44.000000000 +0300 @@ -337,6 +337,8 @@ kif, &key, PF_LAN_EXT); \ if (*state == NULL || (*state)->timeout == PFTM_PURGE) \ return (PF_DROP); \ + if (!pf_state_match_addr_ether(*state, pd, direction)) \ + return (PF_DROP); \ if (direction == PF_OUT && \ (((*state)->rule.ptr->rt == PF_ROUTETO && \ (*state)->rule.ptr->direction == PF_OUT) || \ @@ -701,6 +703,35 @@ } } +static __inline int +pf_state_match_addr_ether(struct pf_state *state, struct pf_pdesc *pd, int direction) +{ + struct pf_addr_ether *src, *dst; + +#ifdef __FreeBSD__ + if ((state->local_flags & PFSTATE_ETHER) == 0) + return (1); +#else + /* XXX only FreeBSD is supported */ + if ((state->rule.ptr->rule_flag & PFRULE_ETHERSTATE) == 0) + return (1); +#endif + + if (direction == PF_IN) { + src = &state->ext.addr_ether; + dst = &state->gwy.addr_ether; + } else { + src = &state->lan.addr_ether; + dst = &state->ext.addr_ether; + } + + if (pf_match_addr_ether(src, &pd->src_ether, 1) && + pf_match_addr_ether(dst, &pd->dst_ether, 1)) + return (1); + + return (0); +} + void pf_init_threshold(struct pf_threshold *threshold, u_int32_t limit, u_int32_t seconds) @@ -2108,6 +2139,26 @@ } int +pf_match_addr_ether(struct pf_addr_ether *want, struct pf_addr_ether *a, int match_empty) +{ + static struct pf_addr_ether mask = { + .octet = { 0xff, 0xff, 0xff, 0xff, 0xff,0xff }, + .flags = 0 + }; + if (want == NULL || (want->flags & PFAE_CHECK) == 0) + return (1); + if (a == NULL || (a->flags & PFAE_CHECK) == 0) + return (match_empty); + + if (want->flags & PFAE_MULTICAST) { + return (ETHER_IS_MULTICAST(a->octet)); + } +#define EA_CMP(x) (*((u_int64_t*)(x)) & *((u_int64_t*)&mask)) + return (EA_CMP(want) == EA_CMP(a)); +#undef EA_CMP +} + +int pf_match(u_int8_t op, u_int32_t a1, u_int32_t a2, u_int32_t p) { switch (op) { @@ -3315,14 +3366,14 @@ r = r->skip[PF_SKIP_AF].ptr; else if (r->proto && r->proto != IPPROTO_TCP) r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, saddr, af, - r->src.neg, kif)) + else if (PF_MISMATCHAW_L2(&r->src.addr, saddr, &pd->src_ether, + af, r->src.neg, kif)) r = r->skip[PF_SKIP_SRC_ADDR].ptr; else if (r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], th->th_sport)) r = r->skip[PF_SKIP_SRC_PORT].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, - r->dst.neg, NULL)) + else if (PF_MISMATCHAW_L2(&r->dst.addr, daddr, &pd->dst_ether, + af, r->dst.neg, NULL)) r = r->skip[PF_SKIP_DST_ADDR].ptr; else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], th->th_dport)) @@ -3506,11 +3557,17 @@ s->proto = IPPROTO_TCP; s->direction = direction; s->af = af; +#ifdef __FreeBSD__ + if (r->rule_flag & PFRULE_ETHERSTATE) + s->local_flags |= PFSTATE_ETHER; +#endif if (direction == PF_OUT) { PF_ACPY(&s->gwy.addr, saddr, af); s->gwy.port = th->th_sport; /* sport */ + s->gwy.addr_ether = pd->src_ether; PF_ACPY(&s->ext.addr, daddr, af); s->ext.port = th->th_dport; + s->ext.addr_ether = pd->dst_ether; if (nr != NULL) { PF_ACPY(&s->lan.addr, &pd->baddr, af); s->lan.port = bport; @@ -3521,8 +3578,10 @@ } else { PF_ACPY(&s->lan.addr, daddr, af); s->lan.port = th->th_dport; + s->lan.addr_ether = pd->dst_ether; PF_ACPY(&s->ext.addr, saddr, af); s->ext.port = th->th_sport; + s->ext.addr_ether = pd->src_ether; if (nr != NULL) { PF_ACPY(&s->gwy.addr, &pd->baddr, af); s->gwy.port = bport; @@ -3737,14 +3796,14 @@ r = r->skip[PF_SKIP_AF].ptr; else if (r->proto && r->proto != IPPROTO_UDP) r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, saddr, af, - r->src.neg, kif)) + else if (PF_MISMATCHAW_L2(&r->src.addr, saddr, &pd->src_ether, + af, r->src.neg, kif)) r = r->skip[PF_SKIP_SRC_ADDR].ptr; else if (r->src.port_op && !pf_match_port(r->src.port_op, r->src.port[0], r->src.port[1], uh->uh_sport)) r = r->skip[PF_SKIP_SRC_PORT].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, - r->dst.neg, NULL)) + else if (PF_MISMATCHAW_L2(&r->dst.addr, daddr, &pd->dst_ether, + af, r->dst.neg, NULL)) r = r->skip[PF_SKIP_DST_ADDR].ptr; else if (r->dst.port_op && !pf_match_port(r->dst.port_op, r->dst.port[0], r->dst.port[1], uh->uh_dport)) @@ -3903,11 +3962,17 @@ s->proto = IPPROTO_UDP; s->direction = direction; s->af = af; +#ifdef __FreeBSD__ + if (r->rule_flag & PFRULE_ETHERSTATE) + s->local_flags |= PFSTATE_ETHER; +#endif if (direction == PF_OUT) { PF_ACPY(&s->gwy.addr, saddr, af); s->gwy.port = uh->uh_sport; + s->gwy.addr_ether = pd->src_ether; PF_ACPY(&s->ext.addr, daddr, af); s->ext.port = uh->uh_dport; + s->ext.addr_ether = pd->dst_ether; if (nr != NULL) { PF_ACPY(&s->lan.addr, &pd->baddr, af); s->lan.port = bport; @@ -3918,8 +3983,10 @@ } else { PF_ACPY(&s->lan.addr, daddr, af); s->lan.port = uh->uh_dport; + s->lan.addr_ether = pd->dst_ether; PF_ACPY(&s->ext.addr, saddr, af); s->ext.port = uh->uh_sport; + s->ext.addr_ether = pd->src_ether; if (nr != NULL) { PF_ACPY(&s->gwy.addr, &pd->baddr, af); s->gwy.port = bport; @@ -4094,11 +4161,11 @@ r = r->skip[PF_SKIP_AF].ptr; else if (r->proto && r->proto != pd->proto) r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, saddr, af, - r->src.neg, kif)) + else if (PF_MISMATCHAW_L2(&r->src.addr, saddr, &pd->src_ether, + af, r->src.neg, kif)) r = r->skip[PF_SKIP_SRC_ADDR].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, daddr, af, - r->dst.neg, NULL)) + else if (PF_MISMATCHAW_L2(&r->dst.addr, daddr, &pd->dst_ether, + af, r->dst.neg, NULL)) r = r->skip[PF_SKIP_DST_ADDR].ptr; else if (r->type && r->type != icmptype + 1) r = TAILQ_NEXT(r, entries); @@ -4216,11 +4283,17 @@ s->proto = pd->proto; s->direction = direction; s->af = af; +#ifdef __FreeBSD__ + if (r->rule_flag & PFRULE_ETHERSTATE) + s->local_flags |= PFSTATE_ETHER; +#endif if (direction == PF_OUT) { PF_ACPY(&s->gwy.addr, saddr, af); s->gwy.port = nport; + s->gwy.addr_ether = pd->src_ether; PF_ACPY(&s->ext.addr, daddr, af); s->ext.port = 0; + s->ext.addr_ether = pd->dst_ether; if (nr != NULL) { PF_ACPY(&s->lan.addr, &pd->baddr, af); s->lan.port = bport; @@ -4231,8 +4304,10 @@ } else { PF_ACPY(&s->lan.addr, daddr, af); s->lan.port = nport; + s->lan.addr_ether = pd->dst_ether; PF_ACPY(&s->ext.addr, saddr, af); s->ext.port = 0; + s->ext.addr_ether = pd->src_ether; if (nr != NULL) { PF_ACPY(&s->gwy.addr, &pd->baddr, af); s->gwy.port = bport; @@ -4357,11 +4432,11 @@ r = r->skip[PF_SKIP_AF].ptr; else if (r->proto && r->proto != pd->proto) r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, - r->src.neg, kif)) + else if (PF_MISMATCHAW_L2(&r->src.addr, pd->src, &pd->src_ether, + af, r->src.neg, kif)) r = r->skip[PF_SKIP_SRC_ADDR].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, - r->dst.neg, NULL)) + else if (PF_MISMATCHAW_L2(&r->dst.addr, pd->dst, &pd->dst_ether, + af, r->dst.neg, NULL)) r = r->skip[PF_SKIP_DST_ADDR].ptr; else if (r->tos && !(r->tos == pd->tos)) r = TAILQ_NEXT(r, entries); @@ -4503,16 +4578,24 @@ s->proto = pd->proto; s->direction = direction; s->af = af; +#ifdef __FreeBSD__ + if (r->rule_flag & PFRULE_ETHERSTATE) + s->local_flags |= PFSTATE_ETHER; +#endif if (direction == PF_OUT) { PF_ACPY(&s->gwy.addr, saddr, af); + s->gwy.addr_ether = pd->src_ether; PF_ACPY(&s->ext.addr, daddr, af); + s->ext.addr_ether = pd->dst_ether; if (nr != NULL) PF_ACPY(&s->lan.addr, &pd->baddr, af); else PF_ACPY(&s->lan.addr, &s->gwy.addr, af); } else { PF_ACPY(&s->lan.addr, daddr, af); + s->lan.addr_ether = pd->dst_ether; PF_ACPY(&s->ext.addr, saddr, af); + s->ext.addr_ether = pd->src_ether; if (nr != NULL) PF_ACPY(&s->gwy.addr, &pd->baddr, af); else @@ -4574,11 +4657,11 @@ r = r->skip[PF_SKIP_AF].ptr; else if (r->proto && r->proto != pd->proto) r = r->skip[PF_SKIP_PROTO].ptr; - else if (PF_MISMATCHAW(&r->src.addr, pd->src, af, - r->src.neg, kif)) + else if (PF_MISMATCHAW_L2(&r->src.addr, pd->src, &pd->src_ether, + af, r->src.neg, kif)) r = r->skip[PF_SKIP_SRC_ADDR].ptr; - else if (PF_MISMATCHAW(&r->dst.addr, pd->dst, af, - r->dst.neg, NULL)) + else if (PF_MISMATCHAW_L2(&r->dst.addr, pd->dst, &pd->dst_ether, + af, r->dst.neg, NULL)) r = r->skip[PF_SKIP_DST_ADDR].ptr; else if (r->tos && !(r->tos == pd->tos)) r = TAILQ_NEXT(r, entries); @@ -6866,6 +6949,12 @@ pd.tos = h->ip_tos; pd.tot_len = ntohs(h->ip_len); pd.eh = eh; + if (eh) { + memcpy(pd.src_ether.octet, eh->ether_shost, ETHER_ADDR_LEN); + pd.src_ether.flags = PFAE_CHECK; + memcpy(pd.dst_ether.octet, eh->ether_dhost, ETHER_ADDR_LEN); + pd.dst_ether.flags = PFAE_CHECK; + } /* handle fragments that didn't get reassembled by normalization */ if (h->ip_off & htons(IP_MF | IP_OFFMASK)) { @@ -7260,6 +7349,12 @@ pd.tos = 0; pd.tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr); pd.eh = eh; + if (eh) { + memcpy(pd.src_ether.octet, eh->ether_shost, ETHER_ADDR_LEN); + pd.src_ether.flags = PFAE_CHECK; + memcpy(pd.dst_ether.octet, eh->ether_dhost, ETHER_ADDR_LEN); + pd.dst_ether.flags = PFAE_CHECK; + } off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr); pd.proto = h->ip6_nxt; diff -urN -x .hg -x .svn ../my/sys/contrib/pf/net/pf_ioctl.c ./sys/contrib/pf/net/pf_ioctl.c --- ../my/sys/contrib/pf/net/pf_ioctl.c 2008-09-07 19:12:21.000000000 +0300 +++ ./sys/contrib/pf/net/pf_ioctl.c 2008-09-07 22:24:44.000000000 +0300 @@ -112,6 +112,7 @@ #ifdef __FreeBSD__ #include +#include #else #include #include @@ -3637,6 +3638,7 @@ * byte order. */ struct ip *h = NULL; + struct m_tag *tag_ether_hdr; int chk; if ((*m)->m_pkthdr.len >= (int)sizeof(struct ip)) { @@ -3645,7 +3647,10 @@ HTONS(h->ip_len); HTONS(h->ip_off); } - chk = pf_test(PF_IN, ifp, m, NULL, inp); + tag_ether_hdr = m_tag_locate(*m, MTAG_ETHER, MTAG_ETHER_HEADER, NULL); + chk = pf_test(PF_IN, ifp, m, + tag_ether_hdr ? (struct ether_header *)(tag_ether_hdr + 1) : NULL, + inp); if (chk && *m) { m_freem(*m); *m = NULL; @@ -3672,6 +3677,7 @@ * byte order. */ struct ip *h = NULL; + struct m_tag *tag_ether_hdr; int chk; /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */ @@ -3685,7 +3691,10 @@ HTONS(h->ip_len); HTONS(h->ip_off); } - chk = pf_test(PF_OUT, ifp, m, NULL, inp); + tag_ether_hdr = m_tag_locate(*m, MTAG_ETHER, MTAG_ETHER_HEADER, NULL); + chk = pf_test(PF_OUT, ifp, m, + tag_ether_hdr ? (struct ether_header *)(tag_ether_hdr + 1) : NULL, + inp); if (chk && *m) { m_freem(*m); *m = NULL; @@ -3707,6 +3716,7 @@ /* * IPv6 is not affected by ip_len/ip_off byte order changes. */ + struct m_tag *tag_ether_hdr; int chk; /* @@ -3714,8 +3724,10 @@ * order to support scoped addresses. In order to support stateful * filtering we have change this to lo0 as it is the case in IPv4. */ + tag_ether_hdr = m_tag_locate(*m, MTAG_ETHER, MTAG_ETHER_HEADER, NULL); chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &V_loif[0] : ifp, m, - NULL, inp); + tag_ether_hdr ? (struct ether_header *)(tag_ether_hdr + 1) : NULL, + inp); if (chk && *m) { m_freem(*m); *m = NULL; @@ -3730,6 +3742,7 @@ /* * IPv6 does not affected ip_len/ip_off byte order changes. */ + struct m_tag *tag_ether_hdr; int chk; /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */ @@ -3737,7 +3750,10 @@ in_delayed_cksum(*m); (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; } - chk = pf_test6(PF_OUT, ifp, m, NULL, inp); + tag_ether_hdr = m_tag_locate(*m, MTAG_ETHER, MTAG_ETHER_HEADER, NULL); + chk = pf_test6(PF_OUT, ifp, m, + tag_ether_hdr ? (struct ether_header *)(tag_ether_hdr + 1) : NULL, + inp); if (chk && *m) { m_freem(*m); *m = NULL; diff -urN -x .hg -x .svn ../my/sys/contrib/pf/net/pf_table.c ./sys/contrib/pf/net/pf_table.c --- ../my/sys/contrib/pf/net/pf_table.c 2008-09-07 19:12:21.000000000 +0300 +++ ./sys/contrib/pf/net/pf_table.c 2008-09-07 22:24:44.000000000 +0300 @@ -917,6 +917,7 @@ ke->pfrke_net = ad->pfra_net; ke->pfrke_not = ad->pfra_not; ke->pfrke_intrpool = intr; + ke->pfrke_ether = ad->pfra_ether; return (ke); } @@ -1145,6 +1146,7 @@ ad->pfra_ip4addr = ke->pfrke_sa.sin.sin_addr; else if (ad->pfra_af == AF_INET6) ad->pfra_ip6addr = ke->pfrke_sa.sin6.sin6_addr; + ad->pfra_ether = ke->pfrke_ether; } int @@ -2089,6 +2091,12 @@ int pfr_match_addr(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af) { + return pfr_match_addr_ether(kt, a, af, NULL); +} + +int +pfr_match_addr_ether(struct pfr_ktable *kt, struct pf_addr *a, sa_family_t af, struct pf_addr_ether *ae) +{ struct pfr_kentry *ke = NULL; int match; @@ -2115,7 +2123,10 @@ break; #endif /* INET6 */ } - match = (ke && !ke->pfrke_not); + match = (ke != NULL); + if (match && ae) + match = pf_match_addr_ether(&ke->pfrke_ether, ae, 0); + match = (match && !ke->pfrke_not); if (match) kt->pfrkt_match++; else diff -urN -x .hg -x .svn ../my/sys/contrib/pf/net/pfvar.h ./sys/contrib/pf/net/pfvar.h --- ../my/sys/contrib/pf/net/pfvar.h 2008-09-07 19:12:21.000000000 +0300 +++ ./sys/contrib/pf/net/pfvar.h 2008-09-07 22:24:45.000000000 +0300 @@ -165,6 +165,14 @@ #define PFI_AFLAG_MODEMASK 0x07 #define PFI_AFLAG_NOALIAS 0x08 +#define PFAE_CHECK 0x01 +#define PFAE_MULTICAST 0x02 + +struct pf_addr_ether { + u_int8_t octet[6]; + u_int16_t flags; +}; + struct pf_addr_wrap { union { struct { @@ -185,6 +193,7 @@ int dyncnt; int tblcnt; } p; + struct pf_addr_ether addr_ether; u_int8_t type; /* PF_ADDR_* */ u_int8_t iflags; /* PFI_AFLAG_* */ }; @@ -401,7 +410,7 @@ #endif /* PF_INET6_ONLY */ #endif /* PF_INET_INET6 */ -#define PF_MISMATCHAW(aw, x, af, neg, ifp) \ +#define PF_MISMATCHAW_L2(aw, x, xl2, af, neg, ifp) \ ( \ (((aw)->type == PF_ADDR_NOROUTE && \ pf_routable((x), (af), NULL)) || \ @@ -410,16 +419,24 @@ ((aw)->type == PF_ADDR_RTLABEL && \ !pf_rtlabel_match((x), (af), (aw))) || \ ((aw)->type == PF_ADDR_TABLE && \ - !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ + !pfr_match_addr_ether((aw)->p.tbl, (x), \ + (af), (xl2))) || \ ((aw)->type == PF_ADDR_DYNIFTL && \ - !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ + !(pfi_match_addr((aw)->p.dyn, (x), (af)) && \ + pf_match_addr_ether(&(aw)->addr_ether, \ + (xl2), 0))) || \ ((aw)->type == PF_ADDR_ADDRMASK && \ !PF_AZERO(&(aw)->v.a.mask, (af)) && \ - !PF_MATCHA(0, &(aw)->v.a.addr, \ - &(aw)->v.a.mask, (x), (af))))) != \ + !(PF_MATCHA(0, &(aw)->v.a.addr, \ + &(aw)->v.a.mask, (x), (af)) && \ + pf_match_addr_ether(&(aw)->addr_ether, \ + (xl2), 0))))) != \ (neg) \ ) +#define PF_MISMATCHAW(aw, x, af, neg, ifp) \ + PF_MISMATCHAW_L2(aw, x, NULL, af, neg, ifp) + struct pf_rule_uid { uid_t uid[2]; @@ -690,6 +707,7 @@ #define PFRULE_NOSYNC 0x0010 #define PFRULE_SRCTRACK 0x0020 /* track source states */ #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ +#define PFRULE_ETHERSTATE 0x0080 /* per rule */ /* scrub flags */ #define PFRULE_NODF 0x0100 @@ -752,6 +770,8 @@ struct pf_state_host { struct pf_addr addr; + struct pf_addr_ether + addr_ether; u_int16_t port; u_int16_t pad; }; @@ -796,6 +816,7 @@ #ifdef __FreeBSD__ u_int8_t local_flags; #define PFSTATE_EXPIRING 0x01 +#define PFSTATE_ETHER 0x02 #else u_int8_t pad; #endif @@ -902,6 +923,7 @@ u_int8_t pfra_net; u_int8_t pfra_not; u_int8_t pfra_fback; + struct pf_addr_ether pfra_ether; }; #define pfra_ip4addr pfra_u._pfra_ip4addr #define pfra_ip6addr pfra_u._pfra_ip6addr @@ -945,6 +967,7 @@ struct pfr_kentry { struct radix_node pfrke_node[2]; union sockaddr_union pfrke_sa; + struct pf_addr_ether pfrke_ether; u_int64_t pfrke_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; u_int64_t pfrke_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; SLIST_ENTRY(pfr_kentry) pfrke_workq; @@ -1054,6 +1077,10 @@ struct pf_addr *dst; struct ether_header *eh; + struct pf_addr_ether + src_ether; + struct pf_addr_ether + dst_ether; struct pf_mtag *pf_mtag; u_int16_t *ip_sum; u_int32_t p_len; /* total length of payload */ @@ -1650,6 +1677,7 @@ struct pf_pdesc *); int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, struct pf_addr *, sa_family_t); +int pf_match_addr_ether(struct pf_addr_ether *, struct pf_addr_ether *, int); int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); @@ -1680,6 +1708,7 @@ #endif void pfr_initialize(void); int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); +int pfr_match_addr_ether(struct pfr_ktable *, struct pf_addr *, sa_family_t, struct pf_addr_ether *); void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, u_int64_t, int, int, int); int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, diff -urN -x .hg -x .svn ../my/sys/net/ethernet.h ./sys/net/ethernet.h --- ../my/sys/net/ethernet.h 2008-09-07 19:15:09.000000000 +0300 +++ ./sys/net/ethernet.h 2008-09-07 22:24:44.000000000 +0300 @@ -362,6 +362,10 @@ } while (0) #ifdef _KERNEL +#include + +#define MTAG_ETHER 1080579719 +#define MTAG_ETHER_HEADER 0 struct ifnet; struct mbuf; @@ -383,6 +387,8 @@ void *, u_int); struct mbuf *ether_vlanencap(struct mbuf *, uint16_t); +extern struct pfil_head ether_pfil_hook; /* Packet filter hooks */ + #else /* _KERNEL */ #include diff -urN -x .hg -x .svn ../my/sys/net/if.h ./sys/net/if.h --- ../my/sys/net/if.h 2008-09-07 19:15:09.000000000 +0300 +++ ./sys/net/if.h 2008-09-07 22:24:44.000000000 +0300 @@ -150,6 +150,8 @@ #define IFF_MONITOR 0x40000 /* (n) user-requested monitor mode */ #define IFF_STATICARP 0x80000 /* (n) static ARP */ #define IFF_NEEDSGIANT 0x100000 /* (i) hold Giant over if_start calls */ +#define IFF_L2FILTER 0x200000 /* (n) perform layer2 filtering on interface */ +#define IFF_L2TAG 0x400000 /* (n) tag packets with layer2 header */ /* * Old names for driver flags so that user space tools can continue to use diff -urN -x .hg -x .svn ../my/sys/net/if_bridge.c ./sys/net/if_bridge.c --- ../my/sys/net/if_bridge.c 2008-09-07 19:15:09.000000000 +0300 +++ ./sys/net/if_bridge.c 2008-09-07 22:24:44.000000000 +0300 @@ -79,6 +79,7 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipfw.h" #include "opt_carp.h" #include @@ -125,6 +126,7 @@ #include #include /* for struct arpcom */ #include +#include /* for ether_pfil_hook */ #include #include #include @@ -342,15 +344,14 @@ static int pfil_onlyip = 1; /* only pass IP[46] packets when pfil is enabled */ static int pfil_bridge = 1; /* run pfil hooks on the bridge interface */ static int pfil_member = 1; /* run pfil hooks on the member interface */ -static int pfil_ipfw = 0; /* layer2 filter with ipfw */ -static int pfil_ipfw_arp = 0; /* layer2 filter with ipfw */ +static int pfil_layer2_arp = 0; /* layer2 filter with PFIL */ static int pfil_local_phys = 0; /* run pfil hooks on the physical interface for locally destined packets */ static int log_stp = 0; /* log STP state changes */ SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_onlyip, CTLFLAG_RW, &pfil_onlyip, 0, "Only pass IP packets when pfil is enabled"); -SYSCTL_INT(_net_link_bridge, OID_AUTO, ipfw_arp, CTLFLAG_RW, - &pfil_ipfw_arp, 0, "Filter ARP packets through IPFW layer2"); +SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_layer2_arp, CTLFLAG_RW, + &pfil_layer2_arp, 0, "Filter ARP packets through PFIL layer2"); SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_bridge, CTLFLAG_RW, &pfil_bridge, 0, "Packet filter on the bridge interface"); SYSCTL_INT(_net_link_bridge, OID_AUTO, pfil_member, CTLFLAG_RW, @@ -508,39 +509,6 @@ MODULE_DEPEND(if_bridge, bridgestp, 1, 1, 1); /* - * handler for net.link.bridge.pfil_ipfw - */ -static int -sysctl_pfil_ipfw(SYSCTL_HANDLER_ARGS) -{ - int enable = pfil_ipfw; - int error; - - error = sysctl_handle_int(oidp, &enable, 0, req); - enable = (enable) ? 1 : 0; - - if (enable != pfil_ipfw) { - pfil_ipfw = enable; - - /* - * Disable pfil so that ipfw doesnt run twice, if the user - * really wants both then they can re-enable pfil_bridge and/or - * pfil_member. Also allow non-ip packets as ipfw can filter by - * layer2 type. - */ - if (pfil_ipfw) { - pfil_onlyip = 0; - pfil_bridge = 0; - pfil_member = 0; - } - } - - return (error); -} -SYSCTL_PROC(_net_link_bridge, OID_AUTO, ipfw, CTLTYPE_INT|CTLFLAG_RW, - &pfil_ipfw, 0, &sysctl_pfil_ipfw, "I", "Layer2 filter with IPFW"); - -/* * bridge_clone_create: * * Create a new bridge instance. @@ -1796,11 +1764,7 @@ return; } - if (PFIL_HOOKED(&inet_pfil_hook) -#ifdef INET6 - || PFIL_HOOKED(&inet6_pfil_hook) -#endif - ) { + if (PFIL_HOOKED(ðer_pfil_hook)) { if (bridge_pfil(&m, sc->sc_ifp, ifp, PFIL_OUT) != 0) return; if (m == NULL) @@ -2929,7 +2893,7 @@ { int snap, error, i, hlen; struct ether_header *eh1, eh2; - struct ip_fw_args args; + struct m_tag *mtag_ether_header; struct ip *ip; struct llc llc1; u_int16_t ether_type; @@ -2942,7 +2906,7 @@ KASSERT(M_WRITABLE(*mp), ("%s: modifying a shared mbuf", __func__)); #endif - if (pfil_bridge == 0 && pfil_member == 0 && pfil_ipfw == 0) + if (pfil_bridge == 0 && pfil_member == 0 && !(bifp != NULL && (bifp->if_flags & IFF_L2FILTER))) return (0); /* filtering is disabled */ i = min((*mp)->m_pkthdr.len, max_protohdr); @@ -2984,7 +2948,7 @@ switch (ether_type) { case ETHERTYPE_ARP: case ETHERTYPE_REVARP: - if (pfil_ipfw_arp == 0) + if (pfil_layer2_arp == 0) return (0); /* Automatically pass */ break; @@ -3003,6 +2967,12 @@ goto bad; } + if (PFIL_HOOKED(ðer_pfil_hook) && dir == PFIL_OUT && bifp != NULL && + (bifp->if_flags & IFF_L2FILTER)) { + if (pfil_run_hooks(ðer_pfil_hook, mp, bifp, PFIL_OUT, NULL) != 0) + return EACCES; + } + /* Strip off the Ethernet header and keep a copy. */ m_copydata(*mp, 0, ETHER_HDR_LEN, (caddr_t) &eh2); m_adj(*mp, ETHER_HDR_LEN); @@ -3033,47 +3003,22 @@ goto bad; } - if (IPFW_LOADED && pfil_ipfw != 0 && dir == PFIL_OUT && ifp != NULL) { - error = -1; - args.rule = ip_dn_claim_rule(*mp); - if (args.rule != NULL && V_fw_one_pass) - goto ipfwpass; /* packet already partially processed */ - - args.m = *mp; - args.oif = ifp; - args.next_hop = NULL; - args.eh = &eh2; - args.inp = NULL; /* used by ipfw uid/gid/jail rules */ - i = ip_fw_chk_ptr(&args); - *mp = args.m; - - if (*mp == NULL) - return (error); - - if (DUMMYNET_LOADED && (i == IP_FW_DUMMYNET)) { - - /* put the Ethernet header back on */ - M_PREPEND(*mp, ETHER_HDR_LEN, M_DONTWAIT); - if (*mp == NULL) - return (error); - bcopy(&eh2, mtod(*mp, caddr_t), ETHER_HDR_LEN); + error = 0; - /* - * Pass the pkt to dummynet, which consumes it. The - * packet will return to us via bridge_dummynet(). - */ - args.oif = ifp; - ip_dn_io_ptr(mp, DN_TO_IFB_FWD, &args); - return (error); + /* Add tag if member or bridge interface has IFF_L2TAG set */ + if (((bifp ? bifp->if_flags : 0) | (ifp ? ifp->if_flags : 0)) & IFF_L2TAG) { + mtag_ether_header = m_tag_locate(*mp, MTAG_ETHER, MTAG_ETHER_HEADER, + NULL); + if (mtag_ether_header == NULL) { + mtag_ether_header = m_tag_alloc(MTAG_ETHER, MTAG_ETHER_HEADER, + ETHER_HDR_LEN, M_NOWAIT); + if (mtag_ether_header != NULL) { + memcpy(mtag_ether_header + 1, &eh2, ETHER_HDR_LEN); + m_tag_prepend(*mp, mtag_ether_header); + } } - - if (i != IP_FW_PASS) /* drop */ - goto bad; } -ipfwpass: - error = 0; - /* * Run the packet through pfil */ @@ -3110,8 +3055,25 @@ break; if (pfil_bridge && dir == PFIL_IN && bifp != NULL) +#ifdef IPFIREWALL + { + /* + * Mark packets as received from bridge interface. + * Without this hack ipfw can't distinguish filtering + * on bridge from filtering on member interface. + */ + struct ifnet *orig_rcvif; + + orig_rcvif = (*mp)->m_pkthdr.rcvif; + (*mp)->m_pkthdr.rcvif = bifp; +#endif error = pfil_run_hooks(&inet_pfil_hook, mp, bifp, dir, NULL); +#ifdef IPFIREWALL + if (*mp) + (*mp)->m_pkthdr.rcvif = orig_rcvif; + } +#endif if (*mp == NULL || error != 0) /* filter may consume */ break; @@ -3164,8 +3126,25 @@ break; if (pfil_bridge && dir == PFIL_IN && bifp != NULL) +#ifdef IPFIREWALL + { + /* + * Mark packets as received from bridge interface. + * Without this hack ipfw can't distinguish filtering + * on bridge from filtering on member interface. + */ + struct ifnet *orig_rcvif; + + orig_rcvif = (*mp)->m_pkthdr.rcvif; + (*mp)->m_pkthdr.rcvif = bifp; +#endif error = pfil_run_hooks(&inet6_pfil_hook, mp, bifp, dir, NULL); +#ifdef IPFIREWALL + if (*mp) + (*mp)->m_pkthdr.rcvif = orig_rcvif; + } +#endif break; #endif default: diff -urN -x .hg -x .svn ../my/sys/net/if_ethersubr.c ./sys/net/if_ethersubr.c --- ../my/sys/net/if_ethersubr.c 2008-09-07 19:15:09.000000000 +0300 +++ ./sys/net/if_ethersubr.c 2008-09-07 22:24:44.000000000 +0300 @@ -62,14 +62,13 @@ #include #include #include +#include #include #if defined(INET) || defined(INET6) #include #include #include -#include -#include #endif #ifdef INET6 #include @@ -138,12 +137,7 @@ #define senderr(e) do { error = (e); goto bad;} while (0) -#if defined(INET) || defined(INET6) -int -ether_ipfw_chk(struct mbuf **m0, struct ifnet *dst, - struct ip_fw **rule, int shared); -static int ether_ipfw; -#endif +struct pfil_head ether_pfil_hook; /* Packet filter hooks */ /* * Ethernet output routine. @@ -391,20 +385,12 @@ int ether_output_frame(struct ifnet *ifp, struct mbuf *m) { - int error; -#if defined(INET) || defined(INET6) - struct ip_fw *rule = ip_dn_claim_rule(m); + int error = 0; - if (IPFW_LOADED && V_ether_ipfw != 0) { - if (ether_ipfw_chk(&m, ifp, &rule, 0) == 0) { - if (m) { - m_freem(m); - return EACCES; /* pkt dropped */ - } else - return 0; /* consumed e.g. in a pipe */ - } - } -#endif + if (PFIL_HOOKED(ðer_pfil_hook) && (ifp->if_flags & IFF_L2FILTER)) + error = pfil_run_hooks(ðer_pfil_hook, &m, ifp, PFIL_OUT, NULL); + if (m == NULL) + return 0; /* consumed e.g. in a pipe */ /* * Queue message on interface, update output statistics if @@ -414,102 +400,6 @@ return (error); } -#if defined(INET) || defined(INET6) -/* - * ipfw processing for ethernet packets (in and out). - * The second parameter is NULL from ether_demux, and ifp from - * ether_output_frame. - */ -int -ether_ipfw_chk(struct mbuf **m0, struct ifnet *dst, - struct ip_fw **rule, int shared) -{ - struct ether_header *eh; - struct ether_header save_eh; - struct mbuf *m; - int i; - struct ip_fw_args args; - - if (*rule != NULL && V_fw_one_pass) - return 1; /* dummynet packet, already partially processed */ - - /* - * I need some amt of data to be contiguous, and in case others need - * the packet (shared==1) also better be in the first mbuf. - */ - m = *m0; - i = min( m->m_pkthdr.len, max_protohdr); - if ( shared || m->m_len < i) { - m = m_pullup(m, i); - if (m == NULL) { - *m0 = m; - return 0; - } - } - eh = mtod(m, struct ether_header *); - save_eh = *eh; /* save copy for restore below */ - m_adj(m, ETHER_HDR_LEN); /* strip ethernet header */ - - args.m = m; /* the packet we are looking at */ - args.oif = dst; /* destination, if any */ - args.rule = *rule; /* matching rule to restart */ - args.next_hop = NULL; /* we do not support forward yet */ - args.eh = &save_eh; /* MAC header for bridged/MAC packets */ - args.inp = NULL; /* used by ipfw uid/gid/jail rules */ - i = ip_fw_chk_ptr(&args); - m = args.m; - if (m != NULL) { - /* - * Restore Ethernet header, as needed, in case the - * mbuf chain was replaced by ipfw. - */ - M_PREPEND(m, ETHER_HDR_LEN, M_DONTWAIT); - if (m == NULL) { - *m0 = m; - return 0; - } - if (eh != mtod(m, struct ether_header *)) - bcopy(&save_eh, mtod(m, struct ether_header *), - ETHER_HDR_LEN); - } - *m0 = m; - *rule = args.rule; - - if (i == IP_FW_DENY) /* drop */ - return 0; - - KASSERT(m != NULL, ("ether_ipfw_chk: m is NULL")); - - if (i == IP_FW_PASS) /* a PASS rule. */ - return 1; - - if (DUMMYNET_LOADED && (i == IP_FW_DUMMYNET)) { - /* - * Pass the pkt to dummynet, which consumes it. - * If shared, make a copy and keep the original. - */ - if (shared) { - m = m_copypacket(m, M_DONTWAIT); - if (m == NULL) - return 0; - } else { - /* - * Pass the original to dummynet and - * nothing back to the caller - */ - *m0 = NULL ; - } - ip_dn_io_ptr(&m, dst ? DN_TO_ETH_OUT: DN_TO_ETH_DEMUX, &args); - return 0; - } - /* - * XXX at some point add support for divert/forward actions. - * If none of the above matches, we have to drop the pkt. - */ - return 0; -} -#endif - /* * Process a received Ethernet packet; the packet is in the * mbuf chain m with the ethernet header at the front. @@ -707,6 +597,7 @@ ether_demux(struct ifnet *ifp, struct mbuf *m) { struct ether_header *eh; + struct m_tag *mtag_ether_header; int isr; u_short ether_type; #if defined(NETATALK) @@ -715,21 +606,15 @@ KASSERT(ifp != NULL, ("%s: NULL interface pointer", __func__)); -#if defined(INET) || defined(INET6) /* - * Allow dummynet and/or ipfw to claim the frame. + * Allow pfil to claim the frame. * Do not do this for PROMISC frames in case we are re-entered. */ - if (IPFW_LOADED && V_ether_ipfw != 0 && !(m->m_flags & M_PROMISC)) { - struct ip_fw *rule = ip_dn_claim_rule(m); - - if (ether_ipfw_chk(&m, NULL, &rule, 0) == 0) { - if (m) - m_freem(m); /* dropped; free mbuf chain */ - return; /* consumed */ - } + if (PFIL_HOOKED(ðer_pfil_hook) && (ifp->if_flags & IFF_L2FILTER) && + !(m->m_flags & M_PROMISC)) { + if (pfil_run_hooks(ðer_pfil_hook, &m, ifp, PFIL_IN, NULL) != 0) + return; } -#endif eh = mtod(m, struct ether_header *); ether_type = ntohs(eh->ether_type); @@ -761,6 +646,14 @@ return; } + if (ifp->if_flags & IFF_L2TAG) { + mtag_ether_header = m_tag_alloc(MTAG_ETHER, MTAG_ETHER_HEADER, ETHER_HDR_LEN, M_NOWAIT); + if (mtag_ether_header != NULL) { + memcpy(mtag_ether_header + 1, eh, ETHER_HDR_LEN); + m_tag_prepend(m, mtag_ether_header); + } + } + /* * Reset layer specific mbuf flags to avoid confusing upper layers. * Strip off Ethernet header. @@ -936,10 +829,6 @@ SYSCTL_DECL(_net_link); SYSCTL_NODE(_net_link, IFT_ETHER, ether, CTLFLAG_RW, 0, "Ethernet"); -#if defined(INET) || defined(INET6) -SYSCTL_INT(_net_link_ether, OID_AUTO, ipfw, CTLFLAG_RW, - ðer_ipfw,0,"Pass ether pkts through firewall"); -#endif #if 0 /* @@ -1195,10 +1084,16 @@ static int ether_modevent(module_t mod, int type, void *data) { + int err; switch (type) { case MOD_LOAD: if_register_com_alloc(IFT_ETHER, ether_alloc, ether_free); + ether_pfil_hook.ph_type = PFIL_TYPE_IFT; + ether_pfil_hook.ph_af = IFT_ETHER; + if ((err = pfil_head_register(ðer_pfil_hook)) != 0) + printf("%s: WARNING: unable to register pfil hook, " + "error %d\n", __func__, err); break; case MOD_UNLOAD: if_deregister_com_alloc(IFT_ETHER); diff -urN -x .hg -x .svn ../my/sys/net/pfil.h ./sys/net/pfil.h --- ../my/sys/net/pfil.h 2008-09-07 19:15:09.000000000 +0300 +++ ./sys/net/pfil.h 2008-09-07 22:24:44.000000000 +0300 @@ -63,6 +63,7 @@ #define PFIL_TYPE_AF 1 /* key is AF_* type */ #define PFIL_TYPE_IFNET 2 /* key is ifnet pointer */ +#define PFIL_TYPE_IFT 3 /* key is IFT_* type */ struct pfil_head { pfil_list_t ph_in; diff -urN -x .hg -x .svn ../my/sys/netinet/ip_fw.h ./sys/netinet/ip_fw.h --- ../my/sys/netinet/ip_fw.h 2008-09-07 19:15:19.000000000 +0300 +++ ./sys/netinet/ip_fw.h 2008-09-07 22:24:44.000000000 +0300 @@ -72,8 +72,9 @@ O_IP_DSTPORT, /* (n)port list:mask 4 byte ea */ O_PROTO, /* arg1=protocol */ - O_MACADDR2, /* 2 mac addr:mask */ - O_MAC_TYPE, /* same as srcport */ + O_ETHER_SRC, /* 2 ethernet (mac) addr:mask */ + O_ETHER_DST, /* 2 ethernet (mac) addr:mask */ + O_ETHER_TYPE, /* same as srcport */ O_LAYER2, /* none */ O_IN, /* none */ @@ -128,7 +129,6 @@ O_DIVERT, /* arg1=port number */ O_TEE, /* arg1=port number */ O_FORWARD_IP, /* fwd sockaddr */ - O_FORWARD_MAC, /* fwd mac */ O_NAT, /* nope */ /* @@ -169,6 +169,15 @@ O_SETFIB, /* arg1=FIB number */ O_FIB, /* arg1=FIB desired fib number */ + O_STATEOPTS, + + /* + * ARP opcodes + */ + O_ARP_OP, /* same as srcport */ + O_ARP_SRC_LOOKUP, /* arg1=table number, u32=value */ + O_ARP_DST_LOOKUP, /* arg1=table number, u32=value */ + O_LAST_OPCODE /* not an opcode! */ }; @@ -266,13 +275,21 @@ } ipfw_insn_sa; /* - * This is used for MAC addr-mask pairs. + * This is used for ethernet (MAC) addr-mask pairs. */ -typedef struct _ipfw_insn_mac { + +#define IPFW_EA_CHECK 0x01 +#define IPFW_EA_MULTICAST 0x02 + +typedef struct _ipfw_ether_addr { + u_char octet[6]; + u_int16_t flags; +} ipfw_ether_addr; + +typedef struct _ipfw_insn_ether { ipfw_insn o; - u_char addr[12]; /* dst[6] + src[6] */ - u_char mask[12]; /* dst[6] + src[6] */ -} ipfw_insn_mac; + ipfw_ether_addr ether; +} ipfw_insn_ether; /* * This is used for interface match rules (recv xx, xmit xx). @@ -481,6 +498,8 @@ struct in6_addr src_ip6; u_int32_t flow_id6; u_int32_t frag_id6; + ipfw_ether_addr src_ether; + ipfw_ether_addr dst_ether; }; #define IS_IP6_FLOW_ID(id) ((id)->addr_type == 6) @@ -532,10 +551,16 @@ #define ICMP6_UNREACH_RST 0x100 /* fake ICMPv6 code (send a TCP RST) */ /* + * Definitions for state (dynamic rule) option names. + */ +#define IP_FW_STATEOPT_ETHER 0x01 + +/* * These are used for lookup tables. */ typedef struct _ipfw_table_entry { in_addr_t addr; /* network address */ + ipfw_ether_addr ether_addr; /* ethernet address */ u_int32_t value; /* value */ u_int16_t tbl; /* table number */ u_int8_t masklen; /* mask length */ @@ -586,6 +611,8 @@ struct route_in6 ro_pmtu_or; }; +#define IP_FW_ARGS_LAYER2 0x01 + /* * Arguments for calling ipfw_chk() and dummynet_io(). We put them * all into a structure because this way it is easier and more @@ -596,7 +623,8 @@ struct ifnet *oif; /* output interface */ struct sockaddr_in *next_hop; /* forward address */ struct ip_fw *rule; /* matching rule */ - struct ether_header *eh; /* for bridged packets */ + struct ether_header *eh; /* for saved ethernet header */ + int flags; struct ipfw_flow_id f_id; /* grabbed from IP header */ u_int32_t cookie; /* a cookie depending on rule action */ @@ -616,6 +644,8 @@ int ipfw_check_in(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); int ipfw_check_out(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); +int ipfw_ether_check_in(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); +int ipfw_ether_check_out(void *, struct mbuf **, struct ifnet *, int, struct inpcb *inp); int ipfw_chk(struct ip_fw_args *); diff -urN -x .hg -x .svn ../my/sys/netinet/ip_fw2.c ./sys/netinet/ip_fw2.c --- ../my/sys/netinet/ip_fw2.c 2008-09-07 19:15:19.000000000 +0300 +++ ./sys/netinet/ip_fw2.c 2008-09-07 22:24:44.000000000 +0300 @@ -66,6 +66,7 @@ #include #include #include +#include #include #include #include @@ -150,9 +151,42 @@ ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; +static __inline int ether_addr_allow(ipfw_ether_addr *want, + ipfw_ether_addr *a) +{ + static ipfw_ether_addr mask = { + .octet = { 0xff, 0xff, 0xff, 0xff, 0xff,0xff }, + .flags = 0 + }; + if ((want->flags & IPFW_EA_CHECK) == 0) + return (1); + + if ((a->flags & IPFW_EA_CHECK) == 0) + return (0); + + if (want->flags & IPFW_EA_MULTICAST) { + return (ETHER_IS_MULTICAST(a->octet)); + } + +#define EA_CMP(a) (*((u_int64_t*)(a)) & *((u_int64_t*)&mask)) + return (EA_CMP(want) == EA_CMP(a)); +#undef EA_CMP +} + +static __inline int ether_addr_allow_dyn(ipfw_ether_addr *want, ipfw_ether_addr *a) +{ + if ((a->flags & IPFW_EA_CHECK) == 0) { + if (want->flags & IPFW_EA_CHECK) + printf("ipfw: no tag: %6D (want %6D)\n", a->octet, ":", want->octet, ":"); + return (1); + } + return (ether_addr_allow(want, a)); +} + struct table_entry { struct radix_node rn[2]; struct sockaddr_in addr, mask; + ipfw_ether_addr ether_addr; u_int32_t value; }; @@ -720,18 +754,6 @@ */ tcp_respond(NULL, ip6, tcp, m, ack, seq, flags); } else if (code != ICMP6_UNREACH_RST) { /* Send an ICMPv6 unreach. */ -#if 0 - /* - * Unlike above, the mbufs need to line up with the ip6 hdr, - * as the contents are read. We need to m_adj() the - * needed amount. - * The mbuf will however be thrown away so we can adjust it. - * Remember we did an m_pullup on it already so we - * can make some assumptions about contiguousness. - */ - if (args->L3offset) - m_adj(m, args->L3offset); -#endif icmp6_error(m, ICMP6_DST_UNREACH, code, 0); } else m_freem(m); @@ -755,7 +777,6 @@ struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, struct ip *ip) { - struct ether_header *eh = args->eh; char *action; int limit_reached = 0; char action2[40], proto[128], fragment[32]; @@ -882,7 +903,7 @@ } if (hlen == 0) { /* non-ip */ - snprintf(SNPARGS(proto, 0), "MAC"); + snprintf(SNPARGS(proto, 0), "ether"); } else { int len; @@ -984,13 +1005,8 @@ #endif { int ip_off, ip_len; - if (eh != NULL) { /* layer 2 packets are as on the wire */ - ip_off = ntohs(ip->ip_off); - ip_len = ntohs(ip->ip_len); - } else { - ip_off = ip->ip_off; - ip_len = ip->ip_len; - } + ip_off = ip->ip_off; + ip_len = ip->ip_len; if (ip_off & (IP_MF | IP_OFFMASK)) snprintf(SNPARGS(fragment, 0), " (frag %d:%d@%d%s)", @@ -1214,7 +1230,23 @@ if (q == NULL) goto done; /* q = NULL, not found */ - if ( prev != NULL) { /* found and not in front */ + /* + * Only check {src,dst}_ether if it was specified in rule and packet + * mbuf has mtag_ether_header. + */ + if (dir == MATCH_NONE || + !ether_addr_allow_dyn(&q->id.src_ether, + (dir == MATCH_FORWARD ? &pkt->src_ether : &pkt->dst_ether)) || + !ether_addr_allow_dyn(&q->id.dst_ether, + (dir == MATCH_FORWARD ? &pkt->dst_ether : &pkt->src_ether))) { + printf("XXX IPFW DYN RULE: dropped by mac: %6D -> %6D\n", + &pkt->src_ether.octet, ":", &pkt->dst_ether.octet, ":"); + q = NULL; + dir = MATCH_NONE; + goto done; + } + + if (prev != NULL) { /* found and not in front */ prev->next = q->next; q->next = V_ipfw_dyn_v[i]; V_ipfw_dyn_v[i] = q; @@ -1339,7 +1371,7 @@ * - "parent" rules for the above (O_LIMIT_PARENT). */ static ipfw_dyn_rule * -add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule) +add_dyn_rule(struct ipfw_flow_id *id, u_int8_t dyn_type, struct ip_fw *rule, uint32_t stateopts) { ipfw_dyn_rule *r; int i; @@ -1371,6 +1403,10 @@ } r->id = *id; + if ((stateopts & IP_FW_STATEOPT_ETHER) == 0) { + r->id.src_ether.flags = 0; + r->id.dst_ether.flags = 0; + } r->expire = time_uptime + V_dyn_syn_lifetime; r->rule = rule; r->dyn_type = dyn_type; @@ -1394,7 +1430,7 @@ * If the lookup fails, then install one. */ static ipfw_dyn_rule * -lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule) +lookup_dyn_parent(struct ipfw_flow_id *pkt, struct ip_fw *rule, uint32_t stateopts) { ipfw_dyn_rule *q; int i; @@ -1426,7 +1462,7 @@ return q; } } - return add_dyn_rule(pkt, O_LIMIT_PARENT, rule); + return add_dyn_rule(pkt, O_LIMIT_PARENT, rule, stateopts); } /** @@ -1436,7 +1472,7 @@ * session limitations are enforced. */ static int -install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, +install_state(struct ip_fw *rule, uint32_t stateopts, ipfw_insn_limit *cmd, struct ip_fw_args *args, uint32_t tablearg) { static int last_log; @@ -1483,7 +1519,7 @@ switch (cmd->o.opcode) { case O_KEEP_STATE: /* bidir rule */ - add_dyn_rule(&args->f_id, O_KEEP_STATE, rule); + add_dyn_rule(&args->f_id, O_KEEP_STATE, rule, stateopts); break; case O_LIMIT: { /* limit number of sessions */ @@ -1524,7 +1560,7 @@ id.src_port = args->f_id.src_port; if (limit_mask & DYN_DST_PORT) id.dst_port = args->f_id.dst_port; - if ((parent = lookup_dyn_parent(&id, rule)) == NULL) { + if ((parent = lookup_dyn_parent(&id, rule, stateopts)) == NULL) { printf("ipfw: %s: add parent failed\n", __func__); IPFW_DYN_UNLOCK(); return (1); @@ -1571,7 +1607,7 @@ return (1); } } - add_dyn_rule(&args->f_id, O_LIMIT, (struct ip_fw *)parent); + add_dyn_rule(&args->f_id, O_LIMIT, (struct ip_fw *)parent, stateopts); break; } default: @@ -1690,22 +1726,7 @@ send_reject(struct ip_fw_args *args, int code, int ip_len, struct ip *ip) { -#if 0 - /* XXX When ip is not guaranteed to be at mtod() we will - * need to account for this */ - * The mbuf will however be thrown away so we can adjust it. - * Remember we did an m_pullup on it already so we - * can make some assumptions about contiguousness. - */ - if (args->L3offset) - m_adj(m, args->L3offset); -#endif if (code != ICMP_REJECT_RST) { /* Send an ICMP unreach */ - /* We need the IP header in host order for icmp_error(). */ - if (args->eh != NULL) { - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); - } icmp_error(args->m, ICMP_UNREACH, code, 0L, 0); } else if (args->f_id.proto == IPPROTO_TCP) { struct tcphdr *const tcp = @@ -1774,7 +1795,7 @@ static int add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, - uint8_t mlen, uint32_t value) + uint8_t mlen, ipfw_ether_addr *ether_addr, uint32_t value) { struct radix_node_head *rnh; struct table_entry *ent; @@ -1789,6 +1810,7 @@ ent->addr.sin_len = ent->mask.sin_len = 8; ent->mask.sin_addr.s_addr = htonl(mlen ? ~((1 << (32 - mlen)) - 1) : 0); ent->addr.sin_addr.s_addr = addr & ent->mask.sin_addr.s_addr; + ent->ether_addr = *ether_addr; IPFW_WLOCK(&V_layer3_chain); if (rnh->rnh_addaddr(&ent->addr, &ent->mask, rnh, (void *)ent) == NULL) { @@ -1883,7 +1905,7 @@ static int lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, - uint32_t *val) + ipfw_ether_addr *ea, uint32_t *val) { struct radix_node_head *rnh; struct table_entry *ent; @@ -1896,6 +1918,9 @@ sa.sin_addr.s_addr = addr; ent = (struct table_entry *)(rnh->rnh_lookup(&sa, NULL, rnh)); if (ent != NULL) { + if (ea && !ether_addr_allow(&ent->ether_addr, ea)) + return (0); + /* use address to create dynamic rule */ *val = ent->value; return (1); } @@ -1940,6 +1965,7 @@ else ent->masklen = 33 - ffs(ntohl(n->mask.sin_addr.s_addr)); ent->addr = n->addr.sin_addr.s_addr; + ent->ether_addr = n->ether_addr; ent->value = n->value; tbl->cnt++; return (0); @@ -2068,10 +2094,9 @@ * Parameters: * * args->m (in/out) The packet; we set to NULL when/if we nuke it. - * Starts with the IP header. - * args->eh (in) Mac header if present, or NULL for layer3 packet. - * args->L3offset Number of bytes bypassed if we came from L2. - * e.g. often sizeof(eh) ** NOTYET ** + * Starts with the IP header or with layer2 header if IP_FW_ARGS_LAYER2 + * is set in args->flags. + * args->eh (in) ethernet header if present, or NULL for layer3 packet. * args->oif Outgoing interface, or NULL if packet is incoming. * The incoming interface is in the mbuf. (in) * args->divert_rule (in/out) @@ -2082,6 +2107,7 @@ * args->next_hop Socket we are forwarding to (out). * args->f_id Addresses grabbed from the packet (out) * args->cookie a cookie depending on rule action + * args->flags Flags * * Return value: * @@ -2105,10 +2131,8 @@ * the implementation of the various instructions to make sure * that they still work. * - * args->eh The MAC header. It is non-null for a layer2 + * args->eh The ethernet header. It is non-null for a layer2 * packet, it is NULL for a layer-3 packet. - * **notyet** - * args->L3offset Offset in the packet to the L3 (IP or equiv.) header. * * m | args->m Pointer to the mbuf, as received from the caller. * It may change if ipfw_chk() does an m_pullup, or if it @@ -2116,12 +2140,10 @@ * XXX This has to change, so that ipfw_chk() never modifies * or consumes the buffer. * ip is the beginning of the ip(4 or 6) header. - * Calculated by adding the L3offset to the start of data. - * (Until we start using L3offset, the packet is * supposed to start with the ip header). */ struct mbuf *m = args->m; - struct ip *ip = mtod(m, struct ip *); + struct ip *ip = NULL; /* * For rules which contain uid/gid or jail constraints, cache @@ -2217,6 +2239,9 @@ if (m->m_flags & M_SKIP_FIREWALL) return (IP_FW_PASS); /* accept */ + if ((args->flags & IP_FW_ARGS_LAYER2) == 0) + ip = mtod(m, struct ip *); + pktlen = m->m_pkthdr.len; args->f_id.fib = M_GETFIB(m); /* note mbuf not altered) */ proto = args->f_id.proto = 0; /* mark f_id invalid */ @@ -2242,12 +2267,22 @@ /* * if we have an ether header, */ - if (args->eh) + if (args->eh != NULL) { etype = ntohs(args->eh->ether_type); + memcpy(args->f_id.src_ether.octet, args->eh->ether_shost, + ETHER_ADDR_LEN); + args->f_id.src_ether.flags = IPFW_EA_CHECK; + memcpy(args->f_id.dst_ether.octet, args->eh->ether_dhost, + ETHER_ADDR_LEN); + args->f_id.dst_ether.flags = IPFW_EA_CHECK; + } else { + args->f_id.src_ether.flags = 0; + args->f_id.dst_ether.flags = 0; + } /* Identify IP packets and fill up variables. */ if (pktlen >= sizeof(struct ip6_hdr) && - (args->eh == NULL || etype == ETHERTYPE_IPV6) && ip->ip_v == 6) { + (args->flags & IP_FW_ARGS_LAYER2) == 0 && ip->ip_v == 6) { struct ip6_hdr *ip6 = (struct ip6_hdr *)ip; is_ipv6 = 1; args->f_id.addr_type = 6; @@ -2412,7 +2447,7 @@ args->f_id.dst_ip = 0; args->f_id.flow_id6 = ntohl(ip6->ip6_flow); } else if (pktlen >= sizeof(struct ip) && - (args->eh == NULL || etype == ETHERTYPE_IP) && ip->ip_v == 4) { + (args->flags & IP_FW_ARGS_LAYER2) == 0 && ip->ip_v == 4) { is_ipv4 = 1; hlen = ip->ip_hl << 2; args->f_id.addr_type = 4; @@ -2423,13 +2458,8 @@ proto = ip->ip_p; src_ip = ip->ip_src; dst_ip = ip->ip_dst; - if (args->eh != NULL) { /* layer 2 packets are as on the wire */ - offset = ntohs(ip->ip_off) & IP_OFFMASK; - ip_len = ntohs(ip->ip_len); - } else { - offset = ip->ip_off & IP_OFFMASK; - ip_len = ip->ip_len; - } + offset = ip->ip_off & IP_OFFMASK; + ip_len = ip->ip_len; pktlen = ip_len < pktlen ? ip_len : pktlen; if (offset == 0) { @@ -2460,6 +2490,13 @@ ip = mtod(m, struct ip *); args->f_id.src_ip = ntohl(src_ip.s_addr); args->f_id.dst_ip = ntohl(dst_ip.s_addr); + } else if (pktlen >= ETHER_HDR_LEN && args->eh != NULL && + (args->flags & IP_FW_ARGS_LAYER2)) { + void *hdr; + switch (ntohs(args->eh->ether_type)) { + case ETHERTYPE_ARP: + PULLUP_TO(ETHER_HDR_LEN, hdr, struct arphdr); + } } #undef PULLUP_TO if (proto) { /* we may have port numbers, store them */ @@ -2495,7 +2532,7 @@ int skipto = mtag ? divert_cookie(mtag) : 0; f = chain->rules; - if (args->eh == NULL && skipto != 0) { + if ((args->flags & IP_FW_ARGS_LAYER2) == 0 && skipto != 0) { if (skipto >= IPFW_DEFAULT_RULE) { IPFW_RUNLOCK(chain); return (IP_FW_DENY); /* invalid */ @@ -2521,6 +2558,7 @@ for (; f; f = f->next) { ipfw_insn *cmd; uint32_t tablearg = 0; + uint32_t stateopts = 0; int l, cmdlen, skip_or; /* skip rest of OR block */ again: @@ -2566,11 +2604,6 @@ match = 1; break; - case O_FORWARD_MAC: - printf("ipfw: opcode %d unimplemented\n", - cmd->opcode); - break; - case O_GID: case O_UID: case O_JAIL: @@ -2607,23 +2640,20 @@ m->m_pkthdr.rcvif, (ipfw_insn_if *)cmd); break; - case O_MACADDR2: - if (args->eh != NULL) { /* have MAC header */ - u_int32_t *want = (u_int32_t *) - ((ipfw_insn_mac *)cmd)->addr; - u_int32_t *mask = (u_int32_t *) - ((ipfw_insn_mac *)cmd)->mask; - u_int32_t *hdr = (u_int32_t *)args->eh; - - match = - ( want[0] == (hdr[0] & mask[0]) && - want[1] == (hdr[1] & mask[1]) && - want[2] == (hdr[2] & mask[2]) ); + case O_ETHER_SRC: + case O_ETHER_DST: + if (args->eh != NULL) { /* have ethernet header */ + ipfw_ether_addr *want = + &(((ipfw_insn_ether *)cmd)->ether); + ipfw_ether_addr *a = (cmd->opcode == O_ETHER_SRC ? + &args->f_id.src_ether : + &args->f_id.dst_ether); + match = ether_addr_allow(want, a); } break; - case O_MAC_TYPE: - if (args->eh != NULL) { + case O_ETHER_TYPE: + if (args->eh != NULL) { /* have ethernet header */ u_int16_t *p = ((ipfw_insn_u16 *)cmd)->ports; int i; @@ -2644,7 +2674,7 @@ break; case O_LAYER2: - match = (args->eh != NULL); + match = ((args->flags & IP_FW_ARGS_LAYER2) != 0); break; case O_DIVERTED: @@ -2671,13 +2701,17 @@ case O_IP_SRC_LOOKUP: case O_IP_DST_LOOKUP: if (is_ipv4) { + ipfw_ether_addr *ea = + (cmd->opcode == O_IP_DST_LOOKUP ? + &args->f_id.dst_ether : + &args->f_id.src_ether); uint32_t a = (cmd->opcode == O_IP_DST_LOOKUP) ? dst_ip.s_addr : src_ip.s_addr; uint32_t v; match = lookup_table(chain, cmd->arg1, a, - &v); + ea, &v); if (!match) break; if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) @@ -3069,6 +3103,97 @@ match = 1; break; + case O_STATEOPTS: + if ((cmd->arg1 & IP_FW_STATEOPT_ETHER)) { + match = (args->eh != NULL); + if (!match) + break; + } + stateopts = cmd->arg1 & 0xff; + break; + + case O_ARP_OP: + case O_ARP_SRC_LOOKUP: + case O_ARP_DST_LOOKUP: + if (args->flags & IP_FW_ARGS_LAYER2 && + pktlen >= ETHER_HDR_LEN && args->eh != NULL) { + struct arphdr *ah; + int op; + + op = ntohs(args->eh->ether_type); + if (op != ETHERTYPE_ARP && op != ETHERTYPE_REVARP) + break; + + ah = (struct arphdr*)(mtod(m, char*) + ETHER_HDR_LEN); + op = ntohs(ah->ar_op); + + if (ntohs(ah->ar_pro) != ETHERTYPE_IP || + ntohs(ah->ar_hrd) != ARPHRD_ETHER) + break; + + if (cmd->opcode == O_ARP_OP) { + u_int16_t *p = + ((ipfw_insn_u16 *)cmd)->ports; + int i; + + for (i = cmdlen - 1; !match && i > 0; + i--, p += 2) + match = (op >= p[0] && + op <= p[1]); + } else { + ipfw_ether_addr ha; + uint32_t pa, v; + + /* + * XXX: Drop RARP requests + * Protocol addresses are undefined + * and table lookup by hardware address is not supported + */ + if (op == ARPOP_REVREQUEST) + break; + + if (cmd->opcode == O_ARP_DST_LOOKUP) { + /* + * XXX: Drop Inverse ARP requests + * Target protocol address is not specified + * and table lookup by hardware address is not supported + */ + if (op == ARPOP_INVREQUEST) + break; + pa = *(uint32_t *) ar_tpa(ah); + + /* + * Ignore hardware address for requests + */ + if (op != ARPOP_REQUEST) { + memcpy(ha.octet, ar_tha(ah), ETHER_ADDR_LEN); + ha.flags = IPFW_EA_CHECK; + } else { + ha.flags = 0; + } + } else { + pa = *(uint32_t *) ar_spa(ah); + memcpy(ha.octet, ar_sha(ah), ETHER_ADDR_LEN); + ha.flags = IPFW_EA_CHECK; + } + + match = lookup_table(chain, cmd->arg1, pa, + (ha.flags ? &ha : NULL), &v); + printf("ipfw: %s arp: %s: op = %d: %6D(%d) %s\n", + (match ? "pass" : "drop"), + cmd->opcode == O_ARP_DST_LOOKUP ? "dst" : "src", + op, ha.octet, ":", ha.flags, + inet_ntoa(*(struct in_addr *)&pa)); + if (!match) + break; + if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) + match = ((ipfw_insn_u32 *)cmd)->d[0] == v; + else + tablearg = v; + } + } + break; + case O_TAGGED: { uint32_t tag = (cmd->arg1 == IP_FW_TABLEARG) ? tablearg : cmd->arg1; @@ -3142,7 +3267,7 @@ */ case O_LIMIT: case O_KEEP_STATE: - if (install_state(f, + if (install_state(f, stateopts, (ipfw_insn_limit *)cmd, args, tablearg)) { retval = IP_FW_DENY; goto done; /* error/limit violation */ @@ -3207,7 +3332,7 @@ case O_TEE: { struct divert_tag *dt; - if (args->eh) /* not on layer 2 */ + if (args->flags & IP_FW_ARGS_LAYER2) /* not valid on layer2 pkts */ break; mtag = m_tag_get(PACKET_TAG_DIVERT, sizeof(struct divert_tag), @@ -3283,7 +3408,7 @@ case O_FORWARD_IP: { struct sockaddr_in *sa; sa = &(((ipfw_insn_sa *)cmd)->sa); - if (args->eh) /* not valid on layer2 pkts */ + if (args->flags & IP_FW_ARGS_LAYER2) /* not valid on layer2 pkts */ break; if (!q || dyn_dir == MATCH_FORWARD) { if (sa->sin_addr.s_addr == INADDR_ANY) { @@ -3826,6 +3951,7 @@ #endif case O_IP4: case O_TAG: + case O_STATEOPTS: if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; break; @@ -3898,6 +4024,8 @@ case O_IP_SRC_LOOKUP: case O_IP_DST_LOOKUP: + case O_ARP_SRC_LOOKUP: + case O_ARP_DST_LOOKUP: if (cmd->arg1 >= IPFW_TABLES_MAX) { printf("ipfw: invalid table number %d\n", cmd->arg1); @@ -3908,8 +4036,9 @@ goto bad_size; break; - case O_MACADDR2: - if (cmdlen != F_INSN_SIZE(ipfw_insn_mac)) + case O_ETHER_SRC: + case O_ETHER_DST: + if (cmdlen != F_INSN_SIZE(ipfw_insn_ether)) goto bad_size; break; @@ -3923,9 +4052,10 @@ goto bad_size; break; - case O_MAC_TYPE: case O_IP_SRCPORT: case O_IP_DSTPORT: /* XXX artificial limit, 30 port pairs */ + case O_ETHER_TYPE: + case O_ARP_OP: if (cmdlen < 2 || cmdlen > 31) goto bad_size; break; @@ -3975,7 +4105,6 @@ if (cmdlen != F_INSN_SIZE(ipfw_insn_nat)) goto bad_size; goto check_action; - case O_FORWARD_MAC: /* XXX not implemented yet */ case O_CHECK_STATE: case O_COUNT: case O_ACCEPT: @@ -4292,7 +4421,7 @@ if (error) break; error = add_table_entry(&V_layer3_chain, ent.tbl, - ent.addr, ent.masklen, ent.value); + ent.addr, ent.masklen, &ent.ether_addr, ent.value); } break; diff -urN -x .hg -x .svn ../my/sys/netinet/ip_fw_pfil.c ./sys/netinet/ip_fw_pfil.c --- ../my/sys/netinet/ip_fw_pfil.c 2008-09-07 19:15:20.000000000 +0300 +++ ./sys/netinet/ip_fw_pfil.c 2008-09-07 22:24:44.000000000 +0300 @@ -50,6 +50,7 @@ #include #include +#include #include #include @@ -61,6 +62,7 @@ #include #include #include +#include #include @@ -93,6 +95,7 @@ { struct ip_fw_args args; struct ng_ipfw_tag *ng_tag; + struct m_tag *tag_ether_hdr; struct m_tag *dn_tag; int ipfw = 0; int divert; @@ -114,6 +117,11 @@ m_tag_delete(*m0, (struct m_tag *)ng_tag); } + tag_ether_hdr = m_tag_locate(*m0, MTAG_ETHER, MTAG_ETHER_HEADER, + NULL); + if (tag_ether_hdr != NULL) + args.eh = (struct ether_header *)(tag_ether_hdr + 1); + again: dn_tag = m_tag_find(*m0, PACKET_TAG_DUMMYNET, NULL); if (dn_tag != NULL){ @@ -215,6 +223,7 @@ { struct ip_fw_args args; struct ng_ipfw_tag *ng_tag; + struct m_tag *tag_ether_hdr; struct m_tag *dn_tag; int ipfw = 0; int divert; @@ -236,6 +245,11 @@ m_tag_delete(*m0, (struct m_tag *)ng_tag); } + tag_ether_hdr = m_tag_locate(*m0, MTAG_ETHER, MTAG_ETHER_HEADER, + NULL); + if (tag_ether_hdr != NULL) + args.eh = (struct ether_header *)(tag_ether_hdr + 1); + again: dn_tag = m_tag_find(*m0, PACKET_TAG_DUMMYNET, NULL); if (dn_tag != NULL) { @@ -422,17 +436,126 @@ return 1; } +int +ipfw_ether_check_in(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, + struct inpcb *inp) +{ + struct ip_fw_args args; + int error; + + KASSERT(dir == PFIL_IN, ("ipfw_ether_check_in wrong direction!")); + + bzero(&args, sizeof(args)); + + args.rule = ip_dn_claim_rule(*m0); + if (args.rule != NULL && fw_one_pass) + return 0; /* packet already partially processed */ + + args.m = *m0; + args.flags = IP_FW_ARGS_LAYER2; + args.eh = mtod(*m0, struct ether_header *); + args.inp = inp; + error = ip_fw_chk_ptr(&args); + *m0 = args.m; +#ifdef XXXGK + printf("IN %6D -> %6D: %s\n", + args.eh->ether_shost, ":", + args.eh->ether_dhost, ":", + (error == IP_FW_PASS ? "passed" : "droped")); +#endif + + if (error == IP_FW_PASS) + return 0; + + if (DUMMYNET_LOADED && (error == IP_FW_DUMMYNET)) { + ip_dn_io_ptr(m0, DN_TO_ETH_DEMUX, &args); + return 0; + } + + /* + * XXX at some point add support for divert/forward actions. + * If none of the above matches, we have to drop the pkt. + */ + + if (*m0) + m_freem(*m0); + *m0 = NULL; + return (EACCES); +} + +int +ipfw_ether_check_out(void *arg, struct mbuf **m0, struct ifnet *ifp, int dir, + struct inpcb *inp) +{ + struct ip_fw_args args; + int error; + + KASSERT(dir == PFIL_OUT, ("ipfw_ether_check_out wrong direction!")); + + bzero(&args, sizeof(args)); + + args.rule = ip_dn_claim_rule(*m0); + if (args.rule != NULL && fw_one_pass) + return 0; /* packet already partially processed */ + + args.m = *m0; + args.oif = ifp; + args.flags = IP_FW_ARGS_LAYER2; + args.eh = mtod(*m0, struct ether_header *); + args.inp = inp; + error = ip_fw_chk_ptr(&args); + *m0 = args.m; +#ifdef XXXGK + printf("OUT %6D -> %6D: %s\n", + args.eh->ether_shost, ":", + args.eh->ether_dhost, ":", + (error == IP_FW_PASS ? "passed" : "droped")); +#endif + + if (error == IP_FW_PASS) + return 0; + + if (DUMMYNET_LOADED && (error == IP_FW_DUMMYNET)) { + int dn_dir; + + if (ifp->if_type == IFT_BRIDGE) + dn_dir = DN_TO_IFB_FWD; + else + dn_dir = DN_TO_ETH_OUT; + ip_dn_io_ptr(m0, dn_dir, &args); + return 0; + } + + /* + * XXX at some point add support for divert/forward actions. + * If none of the above matches, we have to drop the pkt. + */ + + if (*m0) + m_freem(*m0); + *m0 = NULL; + return (EACCES); +} + static int ipfw_hook(void) { - struct pfil_head *pfh_inet; + struct pfil_head *pfh_inet, *pfh_ether; pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); - if (pfh_inet == NULL) - return ENOENT; + if (pfh_inet != NULL) { + pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); + pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); + } - pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); - pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); + pfh_ether = pfil_head_get(PFIL_TYPE_IFT, IFT_ETHER); + if (pfh_ether != NULL) { + pfil_add_hook(ipfw_ether_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_ether); + pfil_add_hook(ipfw_ether_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_ether); + } + + if (pfh_inet == NULL || pfh_ether == NULL) + return ENOENT; return 0; } @@ -440,14 +563,22 @@ static int ipfw_unhook(void) { - struct pfil_head *pfh_inet; + struct pfil_head *pfh_inet, *pfh_ether; pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); - if (pfh_inet == NULL) - return ENOENT; + if (pfh_inet != NULL) { + pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); + pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); + } + + pfh_ether = pfil_head_get(PFIL_TYPE_IFT, IFT_ETHER); + if (pfh_ether != NULL) { + pfil_remove_hook(ipfw_ether_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_ether); + pfil_remove_hook(ipfw_ether_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_ether); + } - pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); - pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); + if (pfh_inet == NULL || pfh_ether == NULL) + return ENOENT; return 0; } --4Ckj6UjgE2iN1+kY-- From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 20:13:37 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 988B61065687 for ; Mon, 8 Sep 2008 20:13:37 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.freebsd.org (Postfix) with ESMTP id 2DDC38FC1E for ; Mon, 8 Sep 2008 20:13:36 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-064-189-243.pools.arcor-ip.net [88.64.189.243]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1Kcn792RSi-0002cq; Mon, 08 Sep 2008 22:13:35 +0200 Received: (qmail 31529 invoked from network); 8 Sep 2008 20:13:35 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by laiers.local with SMTP; 8 Sep 2008 20:13:35 -0000 From: Max Laier Organization: FreeBSD To: freebsd-net@freebsd.org, Brooks Davis Date: Mon, 8 Sep 2008 22:13:34 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <20080908193020.GA37900@rybacik> In-Reply-To: <20080908193020.GA37900@rybacik> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809082213.34703.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/jiAwrCYQRZaLoiT6i7EZGi7h3srjRHKpktki 2EPW/2/w4fuKu6rURnQ2+xpelVTZDw4rBOKane3Au4XU7YRclG 5pJw4lJxVDJ+bJqsxyWAg== Cc: Gleb Kurtsou , Andrew Thompson Subject: Re: [patch] gsoc project: improving layer2 filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 20:13:37 -0000 On Monday 08 September 2008 21:30:21 Gleb Kurtsou wrote: > [Max Laier and Brooks Davis CCed as suggested by Andrew Thompson] > > This summer I was working on improving layer2 filtering (my mentor is > Andrew Thompson) as a google summer of code project. The project was > successfully completed. Wow! That's one large diff ... unfortunately I don't have much time right now. I'll try to look at the pf changes one of these days, but please re-ping if I don't get to it in a timely manner. For the moment all I can say is that your work is very appreciated and that - from a quick glance - it looks like this could be ready(-ish) for inclusion. In any case we should get the releases out the door before dropping this in current. Again, thanks for your work ... I'll look at it as I find time. > I'd like to ask for a public review of the patch attached. > To apply patch (against -CURRENT): > cd /usr/src; patch -p0 < gk_l2filter.patch > > Note, that the patch is not so clean: style(9) issues, stale comments, > some inaccurate variable names, etc. But is should be just fine for a > general review. I'd like to continue working further to improve it, if > community is interested and if there is possibility for it to get > commited. I would appreciate any comments and suggestions. > > Some additional details and examples of new functionality can be found on > my blog: http://blogs.freebsdish.org/gleb/ > > Project's perforce repository: > http://perforce.freebsd.org/changeList.cgi?CMD=changes&FSPC=//depot/project >s/soc2008/gk%5fl2filter/... > > To sum it up, following project goals were achieved (old todo list): > > general: > * Implement pfil hooks for filtering ethernet packets > * Add mtag containing source and destination layer2 addresses to > every mbuf > * Add per interface flags: l2filter, l2tag > > ipfw: > * Update ipfw layer2 not to touch ip headers, but to use mentioned > mtags to do MAC-IP filtering > * Add src-ether and dst-ether ipfw options > * Support mac addresses in ipfw lookup tables > * Stateful filtering by mac addresses > * Implement ARP filtering options > * Update documentation > > pf: > * Add stateful filtering against mac addresses. Make it part of > present layer3 stateful filtering. > * Extend pf's tables facility to contain layer2 address apart with > layer3 address. > * Support in userspace (pf.conf, pfctl). > * Update documentation -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 11:25:53 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0746A10657D6 for ; Tue, 9 Sep 2008 11:25:43 +0000 (UTC) (envelope-from onuraslan@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.174]) by mx1.freebsd.org (Postfix) with ESMTP id D37258FC24 for ; Tue, 9 Sep 2008 11:25:42 +0000 (UTC) (envelope-from onuraslan@gmail.com) Received: by wf-out-1314.google.com with SMTP id 24so1970060wfg.7 for ; Tue, 09 Sep 2008 04:25:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=9GizE+57gcrQHscHI4KzK05TP+350ScFqllNb4QPIFg=; b=gX1AkFs6wCOJId5jRlsuGm+zezDK39LRp/Q8t4aJus/f2U0mowR6rBacSiQ8Aqp6/A PFzT1okYK4ENDAetr27lnoRQwjQT1BxrysXnrEPkjZwzJ+XrhRzuqrHv0AAxP8lFgObK Bdk86dHCr1F1Gg2VV+r+09SsJ9g5LoV4sR+nA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=gELWGoEweUvCy+K3BpYezQBXlSSMKsTTy6PD/f4Ggb6x3EC5TVVxRxlbDt+Dq/UZ+z gja2bo6ABO8gGcfp3CdsZP9mKqLfcCdd4xtpXuDh+M6rAThBWaFAc8kDHAA9xZZ6gex0 IgJC2T1FrLKGqEwacz+AzxRHq57lwwwdOleeg= Received: by 10.142.58.5 with SMTP id g5mr5717278wfa.224.1220959541540; Tue, 09 Sep 2008 04:25:41 -0700 (PDT) Received: by 10.142.173.3 with HTTP; Tue, 9 Sep 2008 04:25:41 -0700 (PDT) Message-ID: Date: Tue, 9 Sep 2008 14:25:41 +0300 From: "Onur Aslan" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Binary mod_php X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 11:25:53 -0000 Hi. I am trying to install a web server to my FreeBSD 7.0-RELEASE. I don't want to compile any packages. I installed apache22 and php5 with pkg_add -r. But there is no mod_php for apache. How can I install mod_php for current installed binary programs? Should I build php5 from /usr/ports? Thanks. From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 12:53:51 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 098171065678 for ; Tue, 9 Sep 2008 12:53:51 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id AD7928FC15 for ; Tue, 9 Sep 2008 12:53:50 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com (vanquish.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Tue, 09 Sep 2008 08:53:49 -0400 id 0005642F.0000000048C671DD.000158BA Date: Tue, 9 Sep 2008 08:53:49 -0400 From: Bill Moran To: "Onur Aslan" Message-Id: <20080909085349.453d630b.wmoran@collaborativefusion.com> In-Reply-To: References: Organization: Collaborative Fusion X-Mailer: Sylpheed 2.5.0 (GTK+ 2.12.11; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Binary mod_php X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 12:53:51 -0000 In response to "Onur Aslan" : > > I am trying to install a web server to my FreeBSD 7.0-RELEASE. I don't > want to compile any packages. I installed apache22 and php5 with > pkg_add -r. But there is no mod_php for apache. How can I install > mod_php for current installed binary programs? Should I build php5 > from /usr/ports? The port has the option to build PHP with the module or not, and I believe the default is to _not_ build the Apache module. That would seem to indicate that the packages generated by the build cluster will be built without the Apache module. Anyway, I would suggest building PHP from ports. Do a "make config" first and ensure the apache module is selected. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 15:39:09 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 750841065683 for ; Tue, 9 Sep 2008 15:39:09 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by mx1.freebsd.org (Postfix) with ESMTP id 290E28FC19 for ; Tue, 9 Sep 2008 15:39:08 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by yw-out-2324.google.com with SMTP id 9so241924ywe.13 for ; Tue, 09 Sep 2008 08:39:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=FZcNz6kCHysgY0tN/6vbYZwjvJiTbT2YHB3WXxrmZfI=; b=c0BOoDRpLpsAHPAzy8ze7X7AjGDMjmcKaazVAJ5ImbTaEQM74dsNAiWdYhmDK7nVVu oeXKogaR31sWb1NUMoczvFf6USHNodtCcct55dnyjg9yn1Poc9UlVeWL4jNjnyH93mDZ hYJRA7aMdvcgzK1utSSVoCNeib3vIQwJ+H0cM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=HZxgque9lYuZedtoQ5NxM4ygTLAi/QsHbd3BrMC8UydsX1SrL+SM9nalQt5Ad99TvQ k7uC1QDAbjkCYiOEAP+l1a5hFqMzjAyWpV7y2OkkHX8AvKOs2fujVucBhlQIh+RwhG4N fQ4ppexZkVZtGyJ7zZ9IsbJfFZl73xS7ryMCw= Received: by 10.100.41.16 with SMTP id o16mr17472599ano.121.1220974748255; Tue, 09 Sep 2008 08:39:08 -0700 (PDT) Received: by 10.100.198.10 with HTTP; Tue, 9 Sep 2008 08:39:08 -0700 (PDT) Message-ID: <9a542da30809090839g4e37c3ddt6b5217a7ec180ebe@mail.gmail.com> Date: Tue, 9 Sep 2008 17:39:08 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: "Gleb Kurtsou" In-Reply-To: <20080908193020.GA37900@rybacik> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080908193020.GA37900@rybacik> Cc: freebsd-net@freebsd.org, Max Laier , Brooks Davis , Andrew Thompson Subject: Re: [patch] gsoc project: improving layer2 filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 15:39:09 -0000 On Mon, Sep 8, 2008 at 9:30 PM, Gleb Kurtsou wrote: > [Max Laier and Brooks Davis CCed as suggested by Andrew Thompson] > > This summer I was working on improving layer2 filtering (my mentor is > Andrew Thompson) as a google summer of code project. The project was > successfully completed. > > I'd like to ask for a public review of the patch attached. > To apply patch (against -CURRENT): > cd /usr/src; patch -p0 < gk_l2filter.patch > > Note, that the patch is not so clean: style(9) issues, stale comments, > some inaccurate variable names, etc. But is should be just fine for a > general review. I'd like to continue working further to improve it, if > community is interested and if there is possibility for it to get > commited. I would appreciate any comments and suggestions. > > Some additional details and examples of new functionality can be found on > my blog: http://blogs.freebsdish.org/gleb/ > > Project's perforce repository: http://perforce.freebsd.org/changeList.cgi?CMD=changes&FSPC=//depot/projects/soc2008/gk%5fl2filter/... > > To sum it up, following project goals were achieved (old todo list): > > general: > * Implement pfil hooks for filtering ethernet packets > * Add mtag containing source and destination layer2 addresses to > every mbuf > * Add per interface flags: l2filter, l2tag > > ipfw: > * Update ipfw layer2 not to touch ip headers, but to use mentioned > mtags to do MAC-IP filtering > * Add src-ether and dst-ether ipfw options > * Support mac addresses in ipfw lookup tables > * Stateful filtering by mac addresses > * Implement ARP filtering options > * Update documentation > > pf: > * Add stateful filtering against mac addresses. Make it part of > present layer3 stateful filtering. > * Extend pf's tables facility to contain layer2 address apart with > layer3 address. > * Support in userspace (pf.conf, pfctl). > * Update documentation > Have you done any measurment on the overhead of this? Adding tags to every packet passing might buy some overhead taking in consideration that pf(4) already does this means double overhead for each packet is it worth unifying this tags for filter case?! How about adding to the tags even some other parameters like vlan or COS value when present so one can do some tricks on vlan case or at least shape on COS value? Otherwise path seems ok at first glance and am going to try out soon. -- Ermal From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 16:02:38 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 500011065672 for ; Tue, 9 Sep 2008 16:02:38 +0000 (UTC) (envelope-from zvonimir.krile@gmail.com) Received: from mail-gx0-f17.google.com (mail-gx0-f17.google.com [209.85.217.17]) by mx1.freebsd.org (Postfix) with ESMTP id 053608FC0A for ; Tue, 9 Sep 2008 16:02:37 +0000 (UTC) (envelope-from zvonimir.krile@gmail.com) Received: by gxk10 with SMTP id 10so10878122gxk.19 for ; Tue, 09 Sep 2008 09:02:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=uO0LvkLA1DYo7Zgx6YdFaekR8iAkn7tVhZlBn6PtC7A=; b=NrMzcRbiXOsjoKN3dQRc0dkKZi03f5vh/E2uuaUPJIU1FHyZds6z33nEBgVb27EILI jVibipshlQNDrhuMgIQt9sWA4nm3TDYFVO7MyWHshXA+pN2dtXhzdDmZJ8PyDTI0wOPw HIUqwwp3k8VGgl/PgyNC7j2nrKTMCaMCR+GbA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=aV9bFbXxvu5M6Em1rkcH2jrRPPouEVAcyZ7quVZBh05LLusnXdAbDt33yRY1HYChzf 9WGbsrVXLVxMG3pPmyz4P6rHyM6vJ8oqyIYjQfKYQ50C21Xd9VfRyD4cpItxOYL1yNda B6bdxzArX2zPU2kDP0Oa0FZMurQd1UjAIsAK8= Received: by 10.150.54.6 with SMTP id c6mr23596230yba.223.1220975181686; Tue, 09 Sep 2008 08:46:21 -0700 (PDT) Received: by 10.150.97.11 with HTTP; Tue, 9 Sep 2008 08:46:21 -0700 (PDT) Message-ID: <5d86fd060809090846t464ac0f5v8761fe32c0bf3fde@mail.gmail.com> Date: Tue, 9 Sep 2008 17:46:21 +0200 From: "zvonimir krile" To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ip forging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 16:02:38 -0000 I was wondering if anyone can help me find an application for freebsd that allows me to forge ip packets in whole(header and the data) so that i can inject them later. I actually want to forge OSPF packets as an attack scenario on a network and cannot seem to find anything that would do the trick. Thanks in advance zk From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 16:25:24 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B37C1065679 for ; Tue, 9 Sep 2008 16:25:24 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id B63998FC08 for ; Tue, 9 Sep 2008 16:25:23 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: by nf-out-0910.google.com with SMTP id h3so726607nfh.33 for ; Tue, 09 Sep 2008 09:25:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:date:from:to:cc :subject:message-id:references:mime-version:content-type :content-disposition:in-reply-to:user-agent:sender; bh=tYGjMB4VV9Kc7RBq4YH0g/o0/Tbm7Z7rPzh4ZT+P2P8=; b=FbISk96fshCMVnA8qjlK1jPLMCiUFQ3F3llOh1jvsG3WhtU2NnTDBeC5cgQrG0hdx7 z9GgBX9hTefE8F1yJ7tmoM1aJA2a0uafFU/XR7BUlwLgKMXXal5YHKzDC91OfPTVEnHU 2OrouS7ZYi1uSZpO8tqYaMZ/69bA40KMLjFYo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent:sender; b=q1qoikZ6tNLrzGlltzg/42NYe03HKeRbHPV4fdubCDcJge9swKPSBVlsiKGpGyZjcC BraJaFJlqYRmfk3mN/4Z+MBHAZBW+WjEFUkTUrkP2AzNqgikphlwEGwZCtp6nF0XLmbq LVpasliu8MYLcpijWqwdWruVLsuIJvtX4fT5U= Received: by 10.210.43.10 with SMTP id q10mr4188451ebq.64.1220977520731; Tue, 09 Sep 2008 09:25:20 -0700 (PDT) Received: from alpha.local ( [83.144.140.92]) by mx.google.com with ESMTPS id i6sm6190915gve.2.2008.09.09.09.25.18 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 09 Sep 2008 09:25:19 -0700 (PDT) Received: by alpha.local (Postfix, from userid 1001) id 26AE211899; Tue, 9 Sep 2008 17:24:34 +0100 (WEST) Date: Tue, 9 Sep 2008 17:24:34 +0100 From: Rui Paulo To: Vladimir Grebenschikov Message-ID: <20080909162433.GB35538@alpha.local> References: <200808280023.m7S0NN0B078088@repoman.freebsd.org> <1220382480.2493.5.camel@localhost> <20080903165230.GA31289@alpha.local> <1220883546.4169.13.camel@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1220883546.4169.13.camel@localhost> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: Rui Paulo Cc: freebsd-net@FreeBSD.org, Rui Paulo Subject: Re: cvs commit: src/sys/contrib/dev/ath COPYRIGHT README ah.h ah_desc.h ah_devid.h ah_soc.h version.h src/sys/contrib/dev/ath/public alpha-elf.hal.o.uu alpha-elf.inc alpha-elf.opt_ah.h ap30.hal.o.uu ap30.inc ap43.hal.o.uu ap43.inc ... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 16:25:24 -0000 On Mon, Sep 08, 2008 at 06:19:06PM +0400, Vladimir Grebenschikov wrote: > On Wed, 2008-09-03 at 17:52 +0100, Rui Paulo wrote: > > On Tue, Sep 02, 2008 at 11:08:00PM +0400, Vladimir Grebenschikov wrote: > > > ? Thu, 28/08/2008 ? 00:22 +0000, Rui Paulo ?????: > > > > rpaulo 2008-08-28 00:22:59 UTC > > > > > > > > > After that commit my wireless stop work: > > > > Can you tell us your ath mac+phy rev? > > ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, > RF5413) > ath0: mem 0xedf00000-0xedf0ffff irq 17 at device 0.0 on > pci3 > ath0: [ITHREAD] > ath0: WARNING: using obsoleted if_watchdog interface > ath0: mac 10.3 phy 6.1 radio 10.2 I have a 5212 too and the problem is now fixed in HEAD. Please update. Thanks, -- Rui Paulo From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 16:35:03 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76487106567C for ; Tue, 9 Sep 2008 16:35:03 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com [66.111.4.27]) by mx1.freebsd.org (Postfix) with ESMTP id 4C8658FC12 for ; Tue, 9 Sep 2008 16:35:02 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id 02D0C15DB7A; Tue, 9 Sep 2008 12:35:01 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute2.internal (MEProxy); Tue, 09 Sep 2008 12:35:02 -0400 X-Sasl-enc: xHpvg5PUnu8grl5i7Dz8EF0Xf5rELX/N+QAaBZZrxgUh 1220978101 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id 54DA428069; Tue, 9 Sep 2008 12:35:01 -0400 (EDT) Message-ID: <48C6A5B4.5080902@FreeBSD.org> Date: Tue, 09 Sep 2008 17:35:00 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.14 (X11/20080514) MIME-Version: 1.0 To: zvonimir krile References: <5d86fd060809090846t464ac0f5v8761fe32c0bf3fde@mail.gmail.com> In-Reply-To: <5d86fd060809090846t464ac0f5v8761fe32c0bf3fde@mail.gmail.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ip forging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 16:35:03 -0000 zvonimir krile wrote: > I actually want to forge OSPF packets as an attack scenario > on a network and cannot seem to find anything that would do the trick. > Try pcs.sourceforge.net, you will have to add OSPF support yourself though, I am sure your help there will be very welcome. I started on the BGP packet formats but have far too much else to do to finish. cheers BMS From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 16:44:31 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63AB41065672 for ; Tue, 9 Sep 2008 16:44:31 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: from mail-gx0-f17.google.com (mail-gx0-f17.google.com [209.85.217.17]) by mx1.freebsd.org (Postfix) with ESMTP id 0167F8FC25 for ; Tue, 9 Sep 2008 16:44:30 +0000 (UTC) (envelope-from gleb.kurtsou@gmail.com) Received: by gxk10 with SMTP id 10so11014966gxk.19 for ; Tue, 09 Sep 2008 09:44:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:references:mime-version:content-type:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=DvOPoEyhjY0P2ZCqsII1NbEs+Ngqdwwhor95uwuQd1E=; b=Xvj2tgUaX/hF7SK4MeuNYPHS5I8yjsFE6QK7CGfusynwikX/ziD9trbKWb5Hw9BilI Pl0jBuUN4zlWnBcahz4iEPuHEXVdM1pJYQPARAYIru5DypTq+/TAtd0Dwg6m5nEl/rq+ 5+T2EtCX3HyDhklgI2qClzCT/Z+y/tZ2hwGRw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:content-transfer-encoding :in-reply-to:user-agent; b=EzOFCZFkxS5uq0g4RWaVCMLfJfqUEiRJlM+lEL4W/RyPAl0AigfiArZcqwrt/2FveM NFauuDSj/2fQVO+rxb/3bKPkboY/qfadlOaFscoLIQo+fdv1kk8d9mAQCd9zJxUyqhDl Wx3ZnVZY4R2zEvjBNHeD8RKQOhhcH/a1JbU7o= Received: by 10.103.192.10 with SMTP id u10mr11423955mup.29.1220978668550; Tue, 09 Sep 2008 09:44:28 -0700 (PDT) Received: from localhost ( [79.133.234.140]) by mx.google.com with ESMTPS id j10sm9518669mue.17.2008.09.09.09.44.27 (version=SSLv3 cipher=RC4-MD5); Tue, 09 Sep 2008 09:44:27 -0700 (PDT) Date: Tue, 9 Sep 2008 19:44:06 +0300 From: Gleb Kurtsou To: Ermal =?utf-8?B?THXDp2k=?= Message-ID: <20080909164406.GA32707@rybacik> References: <20080908193020.GA37900@rybacik> <9a542da30809090839g4e37c3ddt6b5217a7ec180ebe@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <9a542da30809090839g4e37c3ddt6b5217a7ec180ebe@mail.gmail.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-net@freebsd.org, Max Laier , Brooks Davis , Andrew Thompson Subject: Re: [patch] gsoc project: improving layer2 filtering X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 16:44:31 -0000 On (09/09/2008 17:39), Ermal Luçi wrote: > On Mon, Sep 8, 2008 at 9:30 PM, Gleb Kurtsou wrote: > > This summer I was working on improving layer2 filtering (my mentor is > > Andrew Thompson) as a google summer of code project. The project was > > successfully completed. [...] > Have you done any measurment on the overhead of this? > Adding tags to every packet passing might buy some overhead taking in > consideration that pf(4) already does this means double overhead for > each packet is it worth unifying this tags for filter case?! No real numbers so far. I did some benchmarking on macfw mac-ip firewall I've developed back in 2006 (should be in net@ archives). macfw itself was to hackish and to simple and also allocated mtag for every packet. I did the tests on pentium2 and pentium3 class machines with 64-256 mb of ram used as routers in 700 host ethernet network. CPU never was a bottleneck, but I've lost the results anyway. And because of performance considerations l2tag interface flag was added, so you mtags are allocated only for packets on desired interface. Using mtag is the right way to do it, imho. Considering unification, I think we are trying to solve not the reason of the problem but its consequence -- mbuf allocation should be made cheap, instead of unifying unrelated mtags. Optimization pf did some time ago (not sure it's in FreeBSD tree), by adding pf fields into mbuf header, is not a solution too, components become more tightly coupled. In case there is an idea on how to speed up mtag allocation I'd like to work on it. > How about adding to the tags even some other parameters like vlan or > COS value when present so one can do some tricks on vlan case or at > least shape on COS value? > > Otherwise path seems ok at first glance and am going to try out soon. > > -- > Ermal From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 17:20:08 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FC451065670 for ; Tue, 9 Sep 2008 17:20:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0F8CD8FC1E for ; Tue, 9 Sep 2008 17:20:08 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m89HK7Hi091755 for ; Tue, 9 Sep 2008 17:20:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m89HK7cg091754; Tue, 9 Sep 2008 17:20:07 GMT (envelope-from gnats) Date: Tue, 9 Sep 2008 17:20:07 GMT Message-Id: <200809091720.m89HK7cg091754@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: "=?KOI8-R?B?7sUg5MHN09E=?=" Cc: Subject: Re: kern/127102: [wpi] Intel 3945ABG low throughput X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?KOI8-R?B?7sUg5MHN09E=?= List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 17:20:08 -0000 The following reply was made to PR kern/127102; it has been noted by GNATS. From: "=?KOI8-R?B?7sUg5MHN09E=?=" To: bug-followup@freebsd.org Cc: Subject: Re: kern/127102: [wpi] Intel 3945ABG low throughput Date: Tue, 9 Sep 2008 13:15:29 -0400 ------=_Part_24971_5426585.1220980530002 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Curious discovery. Similar behavior (slow throughput) is experienced under Windows on battery power, but not on AC power. Under FreeBSD, the behavior is experienced under AC power or battery power. ------=_Part_24971_5426585.1220980530002 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline
Curious discovery. Similar behavior (slow throughput) is experienced under Windows on battery power, but not on AC power. Under FreeBSD, the behavior is experienced under AC power or battery power.
------=_Part_24971_5426585.1220980530002-- From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 22:00:19 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E1B21065673 for ; Tue, 9 Sep 2008 22:00:19 +0000 (UTC) (envelope-from keramida@freebsd.org) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.freebsd.org (Postfix) with ESMTP id 008EB8FC15 for ; Tue, 9 Sep 2008 22:00:18 +0000 (UTC) (envelope-from keramida@freebsd.org) Received: from kobe.laptop (adsl21-99.kln.forthnet.gr [77.49.148.99]) (authenticated bits=128) by igloo.linux.gr (8.14.3/8.14.3/Debian-5) with ESMTP id m89LjPqH011623 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 10 Sep 2008 00:45:33 +0300 Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.14.3/8.14.3) with ESMTP id m89LjPp8002591; Wed, 10 Sep 2008 00:45:25 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from keramida@localhost) by kobe.laptop (8.14.3/8.14.3/Submit) id m89LjMPv002590; Wed, 10 Sep 2008 00:45:22 +0300 (EEST) (envelope-from keramida@freebsd.org) From: Giorgos Keramidas To: Julian Elischer In-Reply-To: <48C1BD31.6090804@elischer.org> (Julian Elischer's message of "Fri, 05 Sep 2008 16:13:53 -0700") Date: Tue, 09 Sep 2008 21:38:13 +0300 Message-ID: <87y721go6i.fsf@kobe.laptop> References: <48C19568.807@elischer.org> <48C1B774.2020405@elischer.org> <48C1B83C.9000404@elischer.org> <48C1BD31.6090804@elischer.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-MailScanner-ID: m89LjPqH011623 X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-4.267, required 5, ALL_TRUSTED -1.80, AWL 0.09, BAYES_00 -2.60, DATE_IN_PAST_03_06 0.04) X-Hellug-MailScanner-From: keramida@freebsd.org X-Spam-Status: No Cc: freebsd-net@freebsd.org Subject: Re: rewrite of rt_check() (now rt_check_fib()) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 22:00:19 -0000 --=-=-= Content-Transfer-Encoding: quoted-printable Hi Julian. Has anyone else tested this patch? I'm going to have a bit of time to try reproducing this again in the following days. Is this patch version the last one you have written? Should I patch with this one and give it a try? FWIW, reading through this version of rt_check_fib() is nicer, and I really liked the comment that explains how it works :-) On Fri, 05 Sep 2008 16:13:53 -0700, Julian Elischer w= rote: > this time with less (I hope) bugs... > > new macros... > > #define RT_TEMP_UNLOCK(_rt) do { \ > RT_ADDREF(_rt); \ > RT_UNLOCK(_rt); \ > } while (0) > > #define RT_RELOCK(_rt) do { \ > RT_LOCK(_rt) \ > if ((_rt)->rt_refcnt <=3D 1) \ > rtfree(_rt); \ > _rt =3D 0; /* signal that it went away */ \ > else { \ > RT_REMREF(_rt); \ > /* note that _rt is still valid */ \ > } \ > } while (0) > > > with (better) code attached: > > /* > * rt_check() is invoked on each layer 2 output path, prior to > * encapsulating outbound packets. > * > * The function is mostly used to find a routing entry for the gateway, > * which in some protocol families could also point to the link-level > * address for the gateway itself (the side effect of revalidating the > * route to the destination is rather pointless at this stage, we did it > * already a moment before in the pr_output() routine to locate the ifp > * and gateway to use). > * > * When we remove the layer-3 to layer-2 mapping tables from the > * routing table, this function can be removed. > * > * =3D=3D=3D On input =3D=3D=3D > * *dst is the address of the NEXT HOP (which coincides with the > * final destination if directly reachable); > * *lrt0 points to the cached route to the final destination; > * *lrt is not meaningful; > * fibnum is the index to the correct network fib for this packet > * (*lrt0 has not ref held on it so REMREF is not needed ) > * > * =3D=3D=3D Operation =3D=3D=3D > * If the route is marked down try to find a new route. If the route > * to the gateway is gone, try to setup a new route. Otherwise, > * if the route is marked for packets to be rejected, enforce that. > * Note that rtalloc returns an rtentry with an extra REF that we need to= lose. > * > * =3D=3D=3D On return =3D=3D=3D > * *dst is unchanged; > * *lrt0 points to the (possibly new) route to the final destination > * *lrt points to the route to the next hop [LOCKED] > * > * Their values are meaningful ONLY if no error is returned. > * > * To follow this you have to remember that: > * RT_REMREF reduces the reference count by 1 but doesn't check it for 0 = (!) > * RTFREE_LOCKED includes an RT_REMREF (or an rtfree if refs =3D=3D 1) > * and an RT_UNLOCK > * RTFREE does an RT_LOCK and an RTFREE_LOCKED > * The gwroute pointer counts as a reference on the rtentry to which it p= oints. > * so when we add it we use the ref that rtalloc gives us and when we los= e it > * we need to remove the reference. > */ > int > rt_check(struct rtentry **lrt, struct rtentry **lrt0, struct sockaddr *ds= t) > { > return (rt_check_fib(lrt, lrt0, dst, 0)); > } > > int > rt_check_fib(struct rtentry **lrt, struct rtentry **lrt0, struct sockaddr= *dst, > u_int fibnum) > { > struct rtentry *rt; > struct rtentry *rt0; > int error; > > KASSERT(*lrt0 !=3D NULL, ("rt_check")); > rt0 =3D *lrt0; > rt =3D NULL; > > /* NB: the locking here is tortuous... */ > RT_LOCK(rt0); > retry: > if (rt0 && (rt0->rt_flags & RTF_UP) =3D=3D 0) { > /* Current rt0 is useless, try get a replacement. */ > RT_UNLOCK(rt0); > rt0 =3D NULL; > } > if (rt0 =3D=3D NULL) { > rt0 =3D rtalloc1_fib(dst, 1, 0UL, fibnum); > if (rt0 =3D=3D NULL) { > return (EHOSTUNREACH); > } > RT_REMREF(rt0); /* don't need the reference. */ > } > > if (rt0->rt_flags & RTF_GATEWAY) { > if ((rt =3D rt0->rt_gwroute) !=3D NULL) { > RT_LOCK(rt); /* NB: gwroute */ > if ((rt->rt_flags & RTF_UP) =3D=3D 0) { > /* gw route is dud. ignore/lose it */ > RTFREE_LOCKED(rt); /* unref (&unlock) gwroute */ > rt =3D rt0->rt_gwroute =3D NULL; > } > } >=20=09=09 > if (rt =3D=3D NULL) { /* NOT AN ELSE CLAUSE */ > RT_TEMP_UNLOCK(rt0); /* MUST return to undo this */ > rt =3D rtalloc1_fib(rt0->rt_gateway, 1, 0UL, fibnum); > if ((rt =3D=3D rt0) || (rt =3D=3D NULL)) { > /* the best we can do is not good enough */ > if (rt) { > RT_REMREF(rt); /* assumes ref > 0 */ > RT_UNLOCK(rt); > } > RT_FREE(rt0); /* lock, unref, (unlock) */ > return (ENETUNREACH); > } > /* > * Relock it and lose the added reference. > * All sorts of things could have happenned while we > * had no lock on it, so check for them. > */ > RT_RELOCK(rt0); > if (rt0 =3D=3D NULL || ((rt0->rt_flags & RTF_UP) =3D=3D 0)) > /* Ru-roh.. what we had is no longer any good */ > goto retry; > /*=20 > * While we were away, someone replaced the gateway. > * Since a reference count is involved we can't just > * overwrite it. > */ > if (rt0->rt_gwroute) { > if (rt0->rt_gwroute !=3D rt) { > RT_FREE_LOCKED(rt); > goto retry; > } > } else { > rt0->rt_gwroute =3D rt; > } > } > RT_LOCK_ASSERT(rt); > RT_UNLOCK(rt0); > } else { > /* think of rt as having the lock from now on.. */ > rt =3D rt0; > } > /* XXX why are we inspecting rmx_expire? */ > if ((rt->rt_flags & RTF_REJECT) && > (rt->rt_rmx.rmx_expire =3D=3D 0 || > time_uptime < rt->rt_rmx.rmx_expire)) { > RT_UNLOCK(rt); > return (rt =3D=3D rt0 ? EHOSTDOWN : EHOSTUNREACH); > } > > *lrt =3D rt; > *lrt0 =3D rt0; > return (0); > } --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkjGwqAACgkQ1g+UGjGGA7YxYgCeLIxaFENkLPluvhICMOIjfsxP xHcAoMEJ99l6gQV7lsQKpOPs9/G6EMAT =/10u -----END PGP SIGNATURE----- --=-=-=-- From owner-freebsd-net@FreeBSD.ORG Tue Sep 9 23:50:54 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 872DD106564A for ; Tue, 9 Sep 2008 23:50:54 +0000 (UTC) (envelope-from bms@incunabulum.net) Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com [66.111.4.27]) by mx1.freebsd.org (Postfix) with ESMTP id 63D2B8FC1D for ; Tue, 9 Sep 2008 23:50:54 +0000 (UTC) (envelope-from bms@incunabulum.net) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id C8A1F15E0D4 for ; Tue, 9 Sep 2008 19:31:16 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Tue, 09 Sep 2008 19:31:16 -0400 X-Sasl-enc: uvqwfA+q7yWD9le/nNxZwQIOBML/97rPljIp8k6d83kv 1221003076 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id 6F4072999E for ; Tue, 9 Sep 2008 19:31:16 -0400 (EDT) Message-ID: <48C70743.1020003@incunabulum.net> Date: Wed, 10 Sep 2008 00:31:15 +0100 From: Bruce M Simpson User-Agent: Thunderbird 2.0.0.14 (X11/20080514) MIME-Version: 1.0 To: FreeBSD-Net mailing list X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Problem with IFDATA_DRIVERNAME sysctl X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 23:50:54 -0000 Whenever I call this sysctl, I get an errno of EPROGNOTAVAIL from sysctl(): name[0] = CTL_NET; name[1] = PF_LINK; name[2] = NETLINK_GENERIC; name[3] = IFMIB_IFDATA; name[4] = ifindex; name[5] = IFDATA_DRIVERNAME; len = IFNAMSIZ; if (sysctl(name, 6, dname, &len, NULL, 0) == -1) { warnc(EX_OSERR, "cannot obtain driver name for ifname %s", ifname); return (-1); } The ifindex is valid. "dname" is a pointer to an IFNAMSIZ sized buffer. This problem is happening on a 7.0-RELEASE system. It looks like the switch..case in that path could be fubar'd by the compiler as there are not break statements for each distinct case label, could this be due to gcc friendly fire? cheers BMS From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 00:13:35 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BFEED1065678 for ; Wed, 10 Sep 2008 00:13:35 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com [66.111.4.27]) by mx1.freebsd.org (Postfix) with ESMTP id 984588FC16 for ; Wed, 10 Sep 2008 00:13:35 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id 1127F15EB74 for ; Tue, 9 Sep 2008 20:13:35 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute2.internal (MEProxy); Tue, 09 Sep 2008 20:13:35 -0400 X-Sasl-enc: 6QUxKJFxQvcnYhlbWeXjL2dyK1qM8UI3+Ev+8TPkHC2B 1221005614 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id A75D32A30D for ; Tue, 9 Sep 2008 20:13:34 -0400 (EDT) Message-ID: <48C7112D.3070309@FreeBSD.org> Date: Wed, 10 Sep 2008 01:13:33 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.14 (X11/20080514) MIME-Version: 1.0 To: FreeBSD-Net mailing list References: <48C70743.1020003@incunabulum.net> In-Reply-To: <48C70743.1020003@incunabulum.net> X-Enigmail-Version: 0.95.6 Content-Type: multipart/mixed; boundary="------------040304080308020907030404" Subject: Re: Problem with IFDATA_DRIVERNAME sysctl X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 00:13:35 -0000 This is a multi-part message in MIME format. --------------040304080308020907030404 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Bruce M Simpson wrote: > > It looks like the switch..case in that path could be fubar'd by the > compiler as there are not break statements for each distinct case > label, could this be due to gcc friendly fire? Possibly false alarm or PEBKAC, I wasn't checking return values right in some of my code, although we should probably have "break" there anyway. Patch against RELENG_7_0. --------------040304080308020907030404 Content-Type: text/plain; name="if_mib.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="if_mib.diff" --- if_mib.c.orig 2008-09-10 00:31:25.000000000 +0100 +++ if_mib.c 2008-09-10 00:32:15.000000000 +0100 @@ -90,6 +90,7 @@ switch(name[1]) { default: return ENOENT; + break; case IFDATA_GENERAL: bzero(&ifmd, sizeof(ifmd)); @@ -136,6 +137,7 @@ error = SYSCTL_IN(req, ifp->if_linkmib, ifp->if_linkmiblen); if (error) return error; + break; case IFDATA_DRIVERNAME: /* 20 is enough for 64bit ints */ @@ -152,6 +154,7 @@ error = EPERM; free(dbuf, M_TEMP); return (error); + break; } return 0; } --------------040304080308020907030404-- From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 00:25:17 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A1ACB1065676 for ; Wed, 10 Sep 2008 00:25:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outU.internet-mail-service.net (outu.internet-mail-service.net [216.240.47.244]) by mx1.freebsd.org (Postfix) with ESMTP id 8D8748FC18 for ; Wed, 10 Sep 2008 00:25:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 67510246E; Tue, 9 Sep 2008 17:25:17 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id A85A62D600F; Tue, 9 Sep 2008 17:25:16 -0700 (PDT) Message-ID: <48C713F9.7010500@elischer.org> Date: Tue, 09 Sep 2008 17:25:29 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Giorgos Keramidas References: <48C19568.807@elischer.org> <48C1B774.2020405@elischer.org> <48C1B83C.9000404@elischer.org> <48C1BD31.6090804@elischer.org> <87y721go6i.fsf@kobe.laptop> In-Reply-To: <87y721go6i.fsf@kobe.laptop> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: rewrite of rt_check() (now rt_check_fib()) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 00:25:17 -0000 Giorgos Keramidas wrote: > Hi Julian. > > Has anyone else tested this patch? I'm going to have a bit of time to > try reproducing this again in the following days. Is this patch version > the last one you have written? Should I patch with this one and give it > a try? I think this was the last one. > > FWIW, reading through this version of rt_check_fib() is nicer, and I > really liked the comment that explains how it works :-) > > On Fri, 05 Sep 2008 16:13:53 -0700, Julian Elischer wrote: >> this time with less (I hope) bugs... >> >> new macros... >> >> #define RT_TEMP_UNLOCK(_rt) do { \ >> RT_ADDREF(_rt); \ >> RT_UNLOCK(_rt); \ >> } while (0) >> >> #define RT_RELOCK(_rt) do { \ >> RT_LOCK(_rt) \ >> if ((_rt)->rt_refcnt <= 1) \ >> rtfree(_rt); \ >> _rt = 0; /* signal that it went away */ \ >> else { \ >> RT_REMREF(_rt); \ >> /* note that _rt is still valid */ \ >> } \ >> } while (0) >> >> >> with (better) code attached: >> >> /* >> * rt_check() is invoked on each layer 2 output path, prior to >> * encapsulating outbound packets. >> * >> * The function is mostly used to find a routing entry for the gateway, >> * which in some protocol families could also point to the link-level >> * address for the gateway itself (the side effect of revalidating the >> * route to the destination is rather pointless at this stage, we did it >> * already a moment before in the pr_output() routine to locate the ifp >> * and gateway to use). >> * >> * When we remove the layer-3 to layer-2 mapping tables from the >> * routing table, this function can be removed. >> * >> * === On input === >> * *dst is the address of the NEXT HOP (which coincides with the >> * final destination if directly reachable); >> * *lrt0 points to the cached route to the final destination; >> * *lrt is not meaningful; >> * fibnum is the index to the correct network fib for this packet >> * (*lrt0 has not ref held on it so REMREF is not needed ) >> * >> * === Operation === >> * If the route is marked down try to find a new route. If the route >> * to the gateway is gone, try to setup a new route. Otherwise, >> * if the route is marked for packets to be rejected, enforce that. >> * Note that rtalloc returns an rtentry with an extra REF that we need to lose. >> * >> * === On return === >> * *dst is unchanged; >> * *lrt0 points to the (possibly new) route to the final destination >> * *lrt points to the route to the next hop [LOCKED] >> * >> * Their values are meaningful ONLY if no error is returned. >> * >> * To follow this you have to remember that: >> * RT_REMREF reduces the reference count by 1 but doesn't check it for 0 (!) >> * RTFREE_LOCKED includes an RT_REMREF (or an rtfree if refs == 1) >> * and an RT_UNLOCK >> * RTFREE does an RT_LOCK and an RTFREE_LOCKED >> * The gwroute pointer counts as a reference on the rtentry to which it points. >> * so when we add it we use the ref that rtalloc gives us and when we lose it >> * we need to remove the reference. >> */ >> int >> rt_check(struct rtentry **lrt, struct rtentry **lrt0, struct sockaddr *dst) >> { >> return (rt_check_fib(lrt, lrt0, dst, 0)); >> } >> >> int >> rt_check_fib(struct rtentry **lrt, struct rtentry **lrt0, struct sockaddr *dst, >> u_int fibnum) >> { >> struct rtentry *rt; >> struct rtentry *rt0; >> int error; >> >> KASSERT(*lrt0 != NULL, ("rt_check")); >> rt0 = *lrt0; >> rt = NULL; >> >> /* NB: the locking here is tortuous... */ >> RT_LOCK(rt0); >> retry: >> if (rt0 && (rt0->rt_flags & RTF_UP) == 0) { >> /* Current rt0 is useless, try get a replacement. */ >> RT_UNLOCK(rt0); >> rt0 = NULL; >> } >> if (rt0 == NULL) { >> rt0 = rtalloc1_fib(dst, 1, 0UL, fibnum); >> if (rt0 == NULL) { >> return (EHOSTUNREACH); >> } >> RT_REMREF(rt0); /* don't need the reference. */ >> } >> >> if (rt0->rt_flags & RTF_GATEWAY) { >> if ((rt = rt0->rt_gwroute) != NULL) { >> RT_LOCK(rt); /* NB: gwroute */ >> if ((rt->rt_flags & RTF_UP) == 0) { >> /* gw route is dud. ignore/lose it */ >> RTFREE_LOCKED(rt); /* unref (&unlock) gwroute */ >> rt = rt0->rt_gwroute = NULL; >> } >> } >> >> if (rt == NULL) { /* NOT AN ELSE CLAUSE */ >> RT_TEMP_UNLOCK(rt0); /* MUST return to undo this */ >> rt = rtalloc1_fib(rt0->rt_gateway, 1, 0UL, fibnum); >> if ((rt == rt0) || (rt == NULL)) { >> /* the best we can do is not good enough */ >> if (rt) { >> RT_REMREF(rt); /* assumes ref > 0 */ >> RT_UNLOCK(rt); >> } >> RT_FREE(rt0); /* lock, unref, (unlock) */ >> return (ENETUNREACH); >> } >> /* >> * Relock it and lose the added reference. >> * All sorts of things could have happenned while we >> * had no lock on it, so check for them. >> */ >> RT_RELOCK(rt0); >> if (rt0 == NULL || ((rt0->rt_flags & RTF_UP) == 0)) >> /* Ru-roh.. what we had is no longer any good */ >> goto retry; >> /* >> * While we were away, someone replaced the gateway. >> * Since a reference count is involved we can't just >> * overwrite it. >> */ >> if (rt0->rt_gwroute) { >> if (rt0->rt_gwroute != rt) { >> RT_FREE_LOCKED(rt); >> goto retry; >> } >> } else { >> rt0->rt_gwroute = rt; >> } >> } >> RT_LOCK_ASSERT(rt); >> RT_UNLOCK(rt0); >> } else { >> /* think of rt as having the lock from now on.. */ >> rt = rt0; >> } >> /* XXX why are we inspecting rmx_expire? */ >> if ((rt->rt_flags & RTF_REJECT) && >> (rt->rt_rmx.rmx_expire == 0 || >> time_uptime < rt->rt_rmx.rmx_expire)) { >> RT_UNLOCK(rt); >> return (rt == rt0 ? EHOSTDOWN : EHOSTUNREACH); >> } >> >> *lrt = rt; >> *lrt0 = rt0; >> return (0); >> } From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 00:27:57 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F00E6106564A for ; Wed, 10 Sep 2008 00:27:57 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outQ.internet-mail-service.net (outq.internet-mail-service.net [216.240.47.240]) by mx1.freebsd.org (Postfix) with ESMTP id DBE5A8FC15 for ; Wed, 10 Sep 2008 00:27:57 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 397B2246E; Tue, 9 Sep 2008 17:27:58 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 6CAD52D6083; Tue, 9 Sep 2008 17:27:57 -0700 (PDT) Message-ID: <48C7149A.7040304@elischer.org> Date: Tue, 09 Sep 2008 17:28:10 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Giorgos Keramidas References: <48C19568.807@elischer.org> <48C1B774.2020405@elischer.org> <48C1B83C.9000404@elischer.org> <48C1BD31.6090804@elischer.org> <87y721go6i.fsf@kobe.laptop> In-Reply-To: <87y721go6i.fsf@kobe.laptop> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: rewrite of rt_check() (now rt_check_fib()) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 00:27:58 -0000 Giorgos Keramidas wrote: > Hi Julian. > > Has anyone else tested this patch? I'm going to have a bit of time to > try reproducing this again in the following days. Is this patch version > the last one you have written? Should I patch with this one and give it > a try? no one else has.. which seems strange given that several people got hit by the problem. I think that while removing the quick crash, the underlying problem is somewhere else. > > FWIW, reading through this version of rt_check_fib() is nicer, and I > really liked the comment that explains how it works :-) > > On Fri, 05 Sep 2008 16:13:53 -0700, Julian Elischer wrote: >> this time with less (I hope) bugs... >> >> new macros... >> >> #define RT_TEMP_UNLOCK(_rt) do { \ >> RT_ADDREF(_rt); \ >> RT_UNLOCK(_rt); \ >> } while (0) >> >> #define RT_RELOCK(_rt) do { \ >> RT_LOCK(_rt) \ >> if ((_rt)->rt_refcnt <= 1) \ >> rtfree(_rt); \ >> _rt = 0; /* signal that it went away */ \ >> else { \ >> RT_REMREF(_rt); \ >> /* note that _rt is still valid */ \ >> } \ >> } while (0) >> >> >> with (better) code attached: >> >> /* >> * rt_check() is invoked on each layer 2 output path, prior to >> * encapsulating outbound packets. >> * >> * The function is mostly used to find a routing entry for the gateway, >> * which in some protocol families could also point to the link-level >> * address for the gateway itself (the side effect of revalidating the >> * route to the destination is rather pointless at this stage, we did it >> * already a moment before in the pr_output() routine to locate the ifp >> * and gateway to use). >> * >> * When we remove the layer-3 to layer-2 mapping tables from the >> * routing table, this function can be removed. >> * >> * === On input === >> * *dst is the address of the NEXT HOP (which coincides with the >> * final destination if directly reachable); >> * *lrt0 points to the cached route to the final destination; >> * *lrt is not meaningful; >> * fibnum is the index to the correct network fib for this packet >> * (*lrt0 has not ref held on it so REMREF is not needed ) >> * >> * === Operation === >> * If the route is marked down try to find a new route. If the route >> * to the gateway is gone, try to setup a new route. Otherwise, >> * if the route is marked for packets to be rejected, enforce that. >> * Note that rtalloc returns an rtentry with an extra REF that we need to lose. >> * >> * === On return === >> * *dst is unchanged; >> * *lrt0 points to the (possibly new) route to the final destination >> * *lrt points to the route to the next hop [LOCKED] >> * >> * Their values are meaningful ONLY if no error is returned. >> * >> * To follow this you have to remember that: >> * RT_REMREF reduces the reference count by 1 but doesn't check it for 0 (!) >> * RTFREE_LOCKED includes an RT_REMREF (or an rtfree if refs == 1) >> * and an RT_UNLOCK >> * RTFREE does an RT_LOCK and an RTFREE_LOCKED >> * The gwroute pointer counts as a reference on the rtentry to which it points. >> * so when we add it we use the ref that rtalloc gives us and when we lose it >> * we need to remove the reference. >> */ >> int >> rt_check(struct rtentry **lrt, struct rtentry **lrt0, struct sockaddr *dst) >> { >> return (rt_check_fib(lrt, lrt0, dst, 0)); >> } >> >> int >> rt_check_fib(struct rtentry **lrt, struct rtentry **lrt0, struct sockaddr *dst, >> u_int fibnum) >> { >> struct rtentry *rt; >> struct rtentry *rt0; >> int error; >> >> KASSERT(*lrt0 != NULL, ("rt_check")); >> rt0 = *lrt0; >> rt = NULL; >> >> /* NB: the locking here is tortuous... */ >> RT_LOCK(rt0); >> retry: >> if (rt0 && (rt0->rt_flags & RTF_UP) == 0) { >> /* Current rt0 is useless, try get a replacement. */ >> RT_UNLOCK(rt0); >> rt0 = NULL; >> } >> if (rt0 == NULL) { >> rt0 = rtalloc1_fib(dst, 1, 0UL, fibnum); >> if (rt0 == NULL) { >> return (EHOSTUNREACH); >> } >> RT_REMREF(rt0); /* don't need the reference. */ >> } >> >> if (rt0->rt_flags & RTF_GATEWAY) { >> if ((rt = rt0->rt_gwroute) != NULL) { >> RT_LOCK(rt); /* NB: gwroute */ >> if ((rt->rt_flags & RTF_UP) == 0) { >> /* gw route is dud. ignore/lose it */ >> RTFREE_LOCKED(rt); /* unref (&unlock) gwroute */ >> rt = rt0->rt_gwroute = NULL; >> } >> } >> >> if (rt == NULL) { /* NOT AN ELSE CLAUSE */ >> RT_TEMP_UNLOCK(rt0); /* MUST return to undo this */ >> rt = rtalloc1_fib(rt0->rt_gateway, 1, 0UL, fibnum); >> if ((rt == rt0) || (rt == NULL)) { >> /* the best we can do is not good enough */ >> if (rt) { >> RT_REMREF(rt); /* assumes ref > 0 */ >> RT_UNLOCK(rt); >> } >> RT_FREE(rt0); /* lock, unref, (unlock) */ >> return (ENETUNREACH); >> } >> /* >> * Relock it and lose the added reference. >> * All sorts of things could have happenned while we >> * had no lock on it, so check for them. >> */ >> RT_RELOCK(rt0); >> if (rt0 == NULL || ((rt0->rt_flags & RTF_UP) == 0)) >> /* Ru-roh.. what we had is no longer any good */ >> goto retry; >> /* >> * While we were away, someone replaced the gateway. >> * Since a reference count is involved we can't just >> * overwrite it. >> */ >> if (rt0->rt_gwroute) { >> if (rt0->rt_gwroute != rt) { >> RT_FREE_LOCKED(rt); >> goto retry; >> } >> } else { >> rt0->rt_gwroute = rt; >> } >> } >> RT_LOCK_ASSERT(rt); >> RT_UNLOCK(rt0); >> } else { >> /* think of rt as having the lock from now on.. */ >> rt = rt0; >> } >> /* XXX why are we inspecting rmx_expire? */ >> if ((rt->rt_flags & RTF_REJECT) && >> (rt->rt_rmx.rmx_expire == 0 || >> time_uptime < rt->rt_rmx.rmx_expire)) { >> RT_UNLOCK(rt); >> return (rt == rt0 ? EHOSTDOWN : EHOSTUNREACH); >> } >> >> *lrt = rt; >> *lrt0 = rt0; >> return (0); >> } From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 00:35:47 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C16361065671; Wed, 10 Sep 2008 00:35:47 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (cl-162.ewr-01.us.sixxs.net [IPv6:2001:4830:1200:a1::2]) by mx1.freebsd.org (Postfix) with ESMTP id 4A4FC8FC13; Wed, 10 Sep 2008 00:35:47 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.3/8.14.2) with ESMTP id m8A0abwV035037; Tue, 9 Sep 2008 19:36:37 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.3/8.14.3/Submit) id m8A0abot035036; Tue, 9 Sep 2008 19:36:37 -0500 (CDT) (envelope-from brooks) Date: Tue, 9 Sep 2008 19:36:37 -0500 From: Brooks Davis To: "Bruce M. Simpson" Message-ID: <20080910003637.GB34060@lor.one-eyed-alien.net> References: <48C70743.1020003@incunabulum.net> <48C7112D.3070309@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="f2QGlHpHGjS2mn6Y" Content-Disposition: inline In-Reply-To: <48C7112D.3070309@FreeBSD.org> User-Agent: Mutt/1.5.17 (2007-11-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (lor.one-eyed-alien.net [127.0.0.1]); Tue, 09 Sep 2008 19:36:37 -0500 (CDT) Cc: FreeBSD-Net mailing list Subject: Re: Problem with IFDATA_DRIVERNAME sysctl X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 00:35:47 -0000 --f2QGlHpHGjS2mn6Y Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Sep 10, 2008 at 01:13:33AM +0100, Bruce M. Simpson wrote: > Bruce M Simpson wrote: >>=20 >> It looks like the switch..case in that path could be fubar'd by the=20 >> compiler as there are not break statements for each distinct case label,= =20 >> could this be due to gcc friendly fire? >=20 > Possibly false alarm or PEBKAC, I wasn't checking return values right in= =20 > some of my code, although we should probably have "break" there anyway. >=20 > Patch against RELENG_7_0. > --- if_mib.c.orig 2008-09-10 00:31:25.000000000 +0100 > +++ if_mib.c 2008-09-10 00:32:15.000000000 +0100 > @@ -90,6 +90,7 @@ > switch(name[1]) { > default: > return ENOENT; > + break; That's clearly a no-op since it's unreachable. > case IFDATA_GENERAL: > bzero(&ifmd, sizeof(ifmd)); > @@ -136,6 +137,7 @@ > error =3D SYSCTL_IN(req, ifp->if_linkmib, ifp->if_linkmiblen); > if (error) > return error; > + break; This looks OK, but I haven't checked the context. > =20 > case IFDATA_DRIVERNAME: > /* 20 is enough for 64bit ints */ > @@ -152,6 +154,7 @@ > error =3D EPERM; > free(dbuf, M_TEMP); > return (error); > + break; This is also a no-op. --Brooks > } > return 0; > } > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --f2QGlHpHGjS2mn6Y Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (FreeBSD) iD8DBQFIxxaUXY6L6fI4GtQRAusjAJ9E3pmJoXXQjpeAXAkONcfiQb9f5ACeM9lZ /s7Sqz/XJ4P+06XmZG7Qrng= =Rt1N -----END PGP SIGNATURE----- --f2QGlHpHGjS2mn6Y-- From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 08:40:58 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4985106564A; Wed, 10 Sep 2008 08:40:58 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 91EED8FC23; Wed, 10 Sep 2008 08:40:58 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8A8ewZv007185; Wed, 10 Sep 2008 08:40:58 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8A8eweX007181; Wed, 10 Sep 2008 08:40:58 GMT (envelope-from linimon) Date: Wed, 10 Sep 2008 08:40:58 GMT Message-Id: <200809100840.m8A8eweX007181@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/127266: [gif] gif tunnel error ifconfig: SIOCSIFPHYADDR: Can't assign requested address X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 08:40:58 -0000 Old Synopsis: gif tunnel error ifconfig: SIOCSIFPHYADDR: Can't assign requested address New Synopsis: [gif] gif tunnel error ifconfig: SIOCSIFPHYADDR: Can't assign requested address Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Wed Sep 10 08:40:35 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127266 From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 12:23:43 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0183B1065670 for ; Wed, 10 Sep 2008 12:23:43 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out3.smtp.messagingengine.com (out3.smtp.messagingengine.com [66.111.4.27]) by mx1.freebsd.org (Postfix) with ESMTP id C7F508FC08 for ; Wed, 10 Sep 2008 12:23:42 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 65A94160A9E; Wed, 10 Sep 2008 08:23:42 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Wed, 10 Sep 2008 08:23:42 -0400 X-Sasl-enc: mkn7AAyE5V6y4zCWNpAqLdzv0jxuEQJki+Sklkc40Wm4 1221049422 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id EAB8931D5F; Wed, 10 Sep 2008 08:23:41 -0400 (EDT) Message-ID: <48C7BC4C.4090106@FreeBSD.org> Date: Wed, 10 Sep 2008 13:23:40 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.14 (X11/20080514) MIME-Version: 1.0 To: Brooks Davis References: <48C70743.1020003@incunabulum.net> <48C7112D.3070309@FreeBSD.org> <20080910003637.GB34060@lor.one-eyed-alien.net> In-Reply-To: <20080910003637.GB34060@lor.one-eyed-alien.net> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD-Net mailing list Subject: Re: Problem with IFDATA_DRIVERNAME sysctl X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 12:23:43 -0000 Brooks Davis wrote: > >> --- if_mib.c.orig 2008-09-10 00:31:25.000000000 +0100 >> +++ if_mib.c 2008-09-10 00:32:15.000000000 +0100 >> @@ -90,6 +90,7 @@ >> switch(name[1]) { >> default: >> return ENOENT; >> + break; >> > > That's clearly a no-op since it's unreachable. > > >> case IFDATA_GENERAL: >> bzero(&ifmd, sizeof(ifmd)); >> @@ -136,6 +137,7 @@ >> error = SYSCTL_IN(req, ifp->if_linkmib, ifp->if_linkmiblen); >> if (error) >> return error; >> + break; >> > > This looks OK, but I haven't checked the context. > It looks like an unintentional fall-through to case IFDATA_DRIVERNAME, so I'll commit that part. From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 17:19:45 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9167E1065674; Wed, 10 Sep 2008 17:19:43 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from psmtp.com (s200aob14.obsmtp.com [207.126.144.118]) by mx1.freebsd.org (Postfix) with SMTP id 764AC8FC26; Wed, 10 Sep 2008 17:19:42 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from source ([63.174.175.251]) by eu1sys200aob014.postini.com ([207.126.147.11]) with SMTP; Wed, 10 Sep 2008 17:19:41 UTC Received: from [0.0.0.0] (proxy.usdmm.com [172.17.10.21]) by bbbx3.usdmm.com (Postfix) with ESMTP id 48C88FD01B; Wed, 10 Sep 2008 17:02:32 +0000 (UTC) Message-ID: <48C7FCED.2030108@tomjudge.com> Date: Wed, 10 Sep 2008 11:59:25 -0500 From: Tom Judge User-Agent: Thunderbird 2.0.0.16 (X11/20080724) MIME-Version: 1.0 To: "Bruce M. Simpson" References: <200809021542.m82Fg9GK087484@aurora.sol.net> <48BD71DD.10707@FreeBSD.org> <48BE84B0.3080603@FreeBSD.org> In-Reply-To: <48BE84B0.3080603@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: jlin2918@yahoo.com, freebsd-net@freebsd.org, eugen@kuzbass.ru, Joe Greco Subject: Re: Quagga OSPF binds to wrong interface on FreeBSD 7 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 17:19:45 -0000 Bruce M. Simpson wrote: > Bruce M. Simpson wrote: >> >> I understand that this situation has dragged on for some 18 months >> since changes went into 7.x. I'm sorry to hear about the problems >> you're having. I can't speak for Quagga as I haven't worked on it in >> many years, nor can I speak for the Quagga patch. >> > > I looked at the sockopt.c.diff patch briefly last night on my free > time. It is a quick and dirty bandaid by the looks of it which just > munges the socket options. It may "work for you", I haven't tested it > as I don't run Quagga. > > BTW: The RFC 1724 hack was never actually documented, so code which > relies on it is buggy and needs to be fixed. I published a patch for > routed here nearly 18 months ago, which is probably where Quagga > picked up the hack from. The patch works for us in production, we currently have 6 routers running the patch with ~30 interfaces each. Tom J From owner-freebsd-net@FreeBSD.ORG Wed Sep 10 19:30:05 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1218106566B for ; Wed, 10 Sep 2008 19:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BB7448FC14 for ; Wed, 10 Sep 2008 19:30:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8AJU5Ba063751 for ; Wed, 10 Sep 2008 19:30:05 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8AJU5v2063748; Wed, 10 Sep 2008 19:30:05 GMT (envelope-from gnats) Date: Wed, 10 Sep 2008 19:30:05 GMT Message-Id: <200809101930.m8AJU5v2063748@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Jeff Wheelhouse Cc: Subject: Re: kern/127050: [carp] ipv6 does not work on carp interfaces [regression] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jeff Wheelhouse List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2008 19:30:05 -0000 The following reply was made to PR kern/127050; it has been noted by GNATS. From: Jeff Wheelhouse To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/127050: [carp] ipv6 does not work on carp interfaces [regression] Date: Wed, 10 Sep 2008 15:02:00 -0400 I am experiencing the identical behavior on the following releases: 6.3-RELEASE-p4 6.4-PRERELEASE (as of Sep 6) I have reproduced the problem on both amd64 and i386, on both physical interfaces and VLAN interfaces. The problem is the same: - two machines, both configured correctly - both machines can ping6 each other - carp configures correctly, and announcements are observed on the relevant LAN via tcpdump - one machine goes to MASTER and one goes to BACKUP - an additional machine on the same LAN can ping6 both machines - none of the three machines can ping (or route through) the CARP IPv6 address However, I'm *assuming* these are the CARP announcements (since they are from the right IPv6 addresses and MASTER/BACKUP status seems to work: 11:54:51.818511 IP6 A:B:C:D::1 > ff02::12: ip-proto-112 36 11:54:52.855924 IP6 A:B:C:D::1 > ff02::12: ip-proto-112 36 11:54:53.893300 IP6 A:B:C:D::1 > ff02::12: ip-proto-112 36 11:54:54.930386 IP6 A:B:C:D::1 > ff02::12: ip-proto-112 36 11:54:55.967965 IP6 A:B:C:D::1 > ff02::12: ip-proto-112 36 11:54:57.004987 IP6 A:B:C:D::1 > ff02::12: ip-proto-112 36 11:54:58.042481 IP6 A:B:C:D::1 > ff02::12: ip-proto-112 36 I would be happy to help troubleshoot this problem in any way possible. Thanks, Jeff From owner-freebsd-net@FreeBSD.ORG Thu Sep 11 20:08:19 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25EC81065686 for ; Thu, 11 Sep 2008 20:08:19 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outC.internet-mail-service.net (outc.internet-mail-service.net [216.240.47.226]) by mx1.freebsd.org (Postfix) with ESMTP id 147F58FC25 for ; Thu, 11 Sep 2008 20:08:18 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id D0C8A2353; Thu, 11 Sep 2008 13:08:18 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 6C6A12D6014; Thu, 11 Sep 2008 13:08:18 -0700 (PDT) Message-ID: <48C97AB3.6040907@elischer.org> Date: Thu, 11 Sep 2008 13:08:19 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: FreeBSD Net , ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2008 20:08:19 -0000 I think someone sent me a link to an ng_ipfw_filter node once but I've lost it... (I think it was called ng_ipfw but that name is now taken by the netgraph/ipfw 'ipfw netgraph' packet divert option). Something that lets you do ipfw filtering on packets as they travel across a graph. As I said,I've seen one but lost it... Julian From owner-freebsd-net@FreeBSD.ORG Thu Sep 11 21:12:41 2008 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4036C106564A; Thu, 11 Sep 2008 21:12:41 +0000 (UTC) (envelope-from vova@sw.ru) Received: from relay.sw.ru (mailhub.sw.ru [195.214.232.25]) by mx1.freebsd.org (Postfix) with ESMTP id B1BD18FC0C; Thu, 11 Sep 2008 21:12:39 +0000 (UTC) (envelope-from vova@sw.ru) Received: from vbook.fbsd.ru ([77.232.23.6]) (authenticated bits=0) by relay.sw.ru (8.13.4/8.13.4) with ESMTP id m8BLCdBg023322 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 12 Sep 2008 01:12:40 +0400 (MSD) Received: from vova by vbook.fbsd.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KdtSt-0001b3-QN; Fri, 12 Sep 2008 01:12:35 +0400 From: Vladimir Grebenschikov To: Rui Paulo In-Reply-To: <20080909162433.GB35538@alpha.local> References: <200808280023.m7S0NN0B078088@repoman.freebsd.org> <1220382480.2493.5.camel@localhost> <20080903165230.GA31289@alpha.local> <1220883546.4169.13.camel@localhost> <20080909162433.GB35538@alpha.local> Content-Type: text/plain Content-Transfer-Encoding: 7bit Organization: SWsoft Date: Fri, 12 Sep 2008 01:12:34 +0400 Message-Id: <1221167555.2276.17.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port Sender: Vladimir Grebenschikov Cc: freebsd-net@FreeBSD.org Subject: Re: cvs commit: src/sys/contrib/dev/ath COPYRIGHT README ah.h ah_desc.h ah_devid.h ah_soc.h version.h src/sys/contrib/dev/ath/public alpha-elf.hal.o.uu alpha-elf.inc alpha-elf.opt_ah.h ap30.hal.o.uu ap30.inc ap43.hal.o.uu ap43.inc ... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vova@fbsd.ru List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2008 21:12:41 -0000 On Tue, 2008-09-09 at 17:24 +0100, Rui Paulo wrote: > On Mon, Sep 08, 2008 at 06:19:06PM +0400, Vladimir Grebenschikov wrote: > > On Wed, 2008-09-03 at 17:52 +0100, Rui Paulo wrote: > > > On Tue, Sep 02, 2008 at 11:08:00PM +0400, Vladimir Grebenschikov wrote: > > > > ? Thu, 28/08/2008 ? 00:22 +0000, Rui Paulo ?????: > > > > > rpaulo 2008-08-28 00:22:59 UTC > > > > > > > > > > > > After that commit my wireless stop work: > > > > > > Can you tell us your ath mac+phy rev? > > > > ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, > > RF5413) > > ath0: mem 0xedf00000-0xedf0ffff irq 17 at device 0.0 on > > pci3 > > ath0: [ITHREAD] > > ath0: WARNING: using obsoleted if_watchdog interface > > ath0: mac 10.3 phy 6.1 radio 10.2 > > I have a 5212 too and the problem is now fixed in HEAD. Please update. Yes, it works now, thank you. > Thanks, -- Vladimir B. Grebenschikov vova@fbsd.ru From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 05:50:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 75A831065672 for ; Fri, 12 Sep 2008 05:50:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 20D7D8FC13 for ; Fri, 12 Sep 2008 05:50:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 19FBA41C7AE; Fri, 12 Sep 2008 07:50:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id iriU1HISZSsQ; Fri, 12 Sep 2008 07:50:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 8982B41C7BA; Fri, 12 Sep 2008 07:50:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 012DA44487F; Fri, 12 Sep 2008 05:48:57 +0000 (UTC) Date: Fri, 12 Sep 2008 05:48:57 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Julian Elischer In-Reply-To: <48C97AB3.6040907@elischer.org> Message-ID: <20080912054832.Q65801@maildrop.int.zabbadoz.net> References: <48C97AB3.6040907@elischer.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 05:50:08 -0000 On Thu, 11 Sep 2008, Julian Elischer wrote: Hi, > I think someone sent me a link to an ng_ipfw_filter node once > but I've lost it... > > (I think it was called ng_ipfw but that name is now taken by the > netgraph/ipfw 'ipfw netgraph' packet divert option). > > Something that lets you do ipfw filtering on packets as they > travel across a graph. > > As I said,I've seen one but lost it... I could be wrong but did you mean? http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netgraph/ng_ipfw.c -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 06:12:31 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3471D1065697 for ; Fri, 12 Sep 2008 06:12:31 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outQ.internet-mail-service.net (outq.internet-mail-service.net [216.240.47.240]) by mx1.freebsd.org (Postfix) with ESMTP id 168A98FC26 for ; Fri, 12 Sep 2008 06:12:31 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 9024B2496; Thu, 11 Sep 2008 23:12:30 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 0E3992D600D; Thu, 11 Sep 2008 23:12:30 -0700 (PDT) Message-ID: <48CA084D.1050406@elischer.org> Date: Thu, 11 Sep 2008 23:12:29 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> In-Reply-To: <20080912054832.Q65801@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:12:31 -0000 Bjoern A. Zeeb wrote: > On Thu, 11 Sep 2008, Julian Elischer wrote: > > Hi, > >> I think someone sent me a link to an ng_ipfw_filter node once >> but I've lost it... >> >> (I think it was called ng_ipfw but that name is now taken by the >> netgraph/ipfw 'ipfw netgraph' packet divert option). >> >> Something that lets you do ipfw filtering on packets as they >> travel across a graph. >> >> As I said,I've seen one but lost it... > > I could be wrong but did you mean? > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netgraph/ng_ipfw.c > no that's the one I refer to in themail wiich is the inverse of what I want that one allows ipfw to send things to netgraph. I want one to allow a netgraph graph to filter things with ipfw... From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 06:15:06 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E1AA1065684; Fri, 12 Sep 2008 06:15:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id F2EB18FC12; Fri, 12 Sep 2008 06:15:05 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 3C57241C7DC; Fri, 12 Sep 2008 08:15:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id DKpAHUMRb1uM; Fri, 12 Sep 2008 08:15:04 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id E34E641C7D2; Fri, 12 Sep 2008 08:15:04 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 4477544487F; Fri, 12 Sep 2008 06:13:49 +0000 (UTC) Date: Fri, 12 Sep 2008 06:13:49 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Julian Elischer In-Reply-To: <20080912054832.Q65801@maildrop.int.zabbadoz.net> Message-ID: <20080912061314.H65801@maildrop.int.zabbadoz.net> References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:15:06 -0000 On Fri, 12 Sep 2008, Bjoern A. Zeeb wrote: > On Thu, 11 Sep 2008, Julian Elischer wrote: > > Hi, > >> I think someone sent me a link to an ng_ipfw_filter node once >> but I've lost it... >> >> (I think it was called ng_ipfw but that name is now taken by the >> netgraph/ipfw 'ipfw netgraph' packet divert option). >> >> Something that lets you do ipfw filtering on packets as they >> travel across a graph. >> >> As I said,I've seen one but lost it... > > I could be wrong but did you mean? baeh, ignore this... -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 06:16:37 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F221106566C for ; Fri, 12 Sep 2008 06:16:37 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id 8C0DF8FC12 for ; Fri, 12 Sep 2008 06:16:36 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m8C6GS4t046579; Fri, 12 Sep 2008 14:16:28 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m8C6GSRP046578; Fri, 12 Sep 2008 14:16:28 +0800 (KRAST) (envelope-from eugen) Date: Fri, 12 Sep 2008 14:16:28 +0800 From: Eugene Grosbein To: Julian Elischer Message-ID: <20080912061628.GA46340@svzserv.kemerovo.su> References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> <48CA084D.1050406@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48CA084D.1050406@elischer.org> User-Agent: Mutt/1.4.2.3i Cc: "Bjoern A. Zeeb" , ipfw@freebsd.org, FreeBSD Net Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:16:37 -0000 On Thu, Sep 11, 2008 at 11:12:29PM -0700, Julian Elischer wrote: > that one allows ipfw to send things to netgraph. I want one > to allow a netgraph graph to filter things with ipfw... ng_bpf? not exactly ipfw filtering, but filtering :-) Eugene Grosbein From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 06:17:32 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B9DC106566B for ; Fri, 12 Sep 2008 06:17:32 +0000 (UTC) (envelope-from andrew@modulus.org) Received: from email.octopus.com.au (host-122-100-2-232.octopus.com.au [122.100.2.232]) by mx1.freebsd.org (Postfix) with ESMTP id 24ACA8FC33 for ; Fri, 12 Sep 2008 06:17:31 +0000 (UTC) (envelope-from andrew@modulus.org) Received: by email.octopus.com.au (Postfix, from userid 1002) id F170A17E3D; Fri, 12 Sep 2008 16:17:46 +1000 (EST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on email.octopus.com.au X-Spam-Level: X-Spam-Status: No, score=-1.4 required=10.0 tests=ALL_TRUSTED autolearn=failed version=3.2.3 Received: from [10.1.50.60] (ppp121-44-8-108.lns10.syd7.internode.on.net [121.44.8.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: admin@email.octopus.com.au) by email.octopus.com.au (Postfix) with ESMTP id C03C9178A7; Fri, 12 Sep 2008 16:17:37 +1000 (EST) Message-ID: <48CA0952.50804@modulus.org> Date: Fri, 12 Sep 2008 16:16:50 +1000 From: Andrew Snow User-Agent: Thunderbird 2.0.0.14 (X11/20080523) MIME-Version: 1.0 To: Julian Elischer References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> In-Reply-To: <20080912054832.Q65801@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:17:32 -0000 I think what you ask can be done by: 1. sending the packet through ng_mbuf to tag it 2. sending it to ng_ipfw to be sent through IPFW 3. use IPFW rules to operate on packets with the particular tag you attached in #1 4. as the final IPFW rule, pass the packet back in to netgraph via a 'netgraph' IPFW rule. I have not tried this, no idea if it would work Best of luck! :-) - Andrew From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 06:48:50 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDDFD106564A for ; Fri, 12 Sep 2008 06:48:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outN.internet-mail-service.net (outn.internet-mail-service.net [216.240.47.237]) by mx1.freebsd.org (Postfix) with ESMTP id CC7908FC12 for ; Fri, 12 Sep 2008 06:48:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id AD19E2376; Thu, 11 Sep 2008 23:48:50 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 5B0DE2D600E; Thu, 11 Sep 2008 23:48:50 -0700 (PDT) Message-ID: <48CA10D2.4040807@elischer.org> Date: Thu, 11 Sep 2008 23:48:50 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Eugene Grosbein References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> <48CA084D.1050406@elischer.org> <20080912061628.GA46340@svzserv.kemerovo.su> In-Reply-To: <20080912061628.GA46340@svzserv.kemerovo.su> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , ipfw@freebsd.org, FreeBSD Net Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:48:51 -0000 Eugene Grosbein wrote: > On Thu, Sep 11, 2008 at 11:12:29PM -0700, Julian Elischer wrote: > >> that one allows ipfw to send things to netgraph. I want one >> to allow a netgraph graph to filter things with ipfw... > > ng_bpf? not exactly ipfw filtering, but filtering :-) > No it needs to be ifpw for the job I'm doing..there is already a lot of code that manipulate ipfw rules that I want to reuse. (heavy use of tables etc.). From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 06:56:03 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5A0D106567A; Fri, 12 Sep 2008 06:56:03 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id 0D0C18FC1D; Fri, 12 Sep 2008 06:56:02 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from kuzbass.ru (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m8C6tw1f052330; Fri, 12 Sep 2008 14:55:58 +0800 (KRAST) (envelope-from eugen@kuzbass.ru) Message-ID: <48CA127E.9BDA9C22@kuzbass.ru> Date: Fri, 12 Sep 2008 14:55:58 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Julian Elischer References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> <48CA084D.1050406@elischer.org> <20080912061628.GA46340@svzserv.kemerovo.su> <48CA10D2.4040807@elischer.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , ipfw@freebsd.org, FreeBSD Net Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:56:03 -0000 Julian Elischer wrote: > >> that one allows ipfw to send things to netgraph. I want one > >> to allow a netgraph graph to filter things with ipfw... > > > > ng_bpf? not exactly ipfw filtering, but filtering :-) > > No it needs to be ifpw for the job I'm doing..there is already a lot > of code that manipulate ipfw rules that I want to reuse. > (heavy use of tables etc.). I think there is no such node at present, I did some search recently. From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 10:20:06 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8DAA106564A for ; Fri, 12 Sep 2008 10:20:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 942338FC0A for ; Fri, 12 Sep 2008 10:20:06 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8CAK6Kp051255 for ; Fri, 12 Sep 2008 10:20:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8CAK6UP051253; Fri, 12 Sep 2008 10:20:06 GMT (envelope-from gnats) Date: Fri, 12 Sep 2008 10:20:06 GMT Message-Id: <200809121020.m8CAK6UP051253@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Edwin Groothuis Cc: Subject: Re: misc/127266: gif tunnel error ifconfig: SIOCSIFPHYADDR: Can't assign requested address X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Edwin Groothuis List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 10:20:06 -0000 The following reply was made to PR kern/127266; it has been noted by GNATS. From: Edwin Groothuis To: Serg Livitin Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: misc/127266: gif tunnel error ifconfig: SIOCSIFPHYADDR: Can't assign requested address Date: Fri, 12 Sep 2008 20:10:50 +1000 On Wed, Sep 10, 2008 at 08:39:35AM +0000, Serg Livitin wrote: > my ifconfig: > sis0: flags=8843 mtu 1500 > options=8 > inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 > ether 00:16:ec:44:e3:a8 > media: Ethernet autoselect (100baseTX ) > status: active > xl0: flags=8843 mtu 1500 > options=9 > inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255 > ether 00:04:76:a1:97:ef > media: Ethernet autoselect (100baseTX ) > status: active > fxp0: flags=8843 mtu 1500 > options=8 > inet 79.165.217.154 netmask 0xfffff000 broadcast 255.255.255.255 > ether 00:50:8b:5f:f2:4a > media: Ethernet autoselect (100baseTX ) > status: active > lo0: flags=8049 mtu 16384 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 > inet6 ::1 prefixlen 128 > inet 127.0.0.1 netmask 0xff000000 > gif0: flags=8051 mtu 1280 > tunnel inet 79.165.217.154 --> 212.248.60.138 > inet 192.168.0.254 --> 192.168.8.254 netmask 0xffffff00 > gif3: flags=8051 mtu 1280 > tunnel inet 79.165.217.154 --> 81.195.226.74 > inet 192.168.0.254 --> 192.168.2.254 netmask 0xffffff00 > > [Home]gw# ifconfig gif14 create > [Home]gw# ifconfig gif14 tunnel 79.165.217.154 212.248.60.138 > ifconfig: SIOCSIFPHYADDR: Can't assign requested address You already used that address on gif0. Edwin -- Edwin Groothuis | Personal website: http://www.mavetju.org edwin@mavetju.org | Weblog: http://www.mavetju.org/weblog/ From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 10:45:46 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 34A05106564A for ; Fri, 12 Sep 2008 10:45:46 +0000 (UTC) (envelope-from chris@cretaforce.gr) Received: from server4.cretaforce.gr (server4.cretaforce.gr [85.17.232.205]) by mx1.freebsd.org (Postfix) with ESMTP id F19A88FC1B for ; Fri, 12 Sep 2008 10:45:45 +0000 (UTC) (envelope-from chris@cretaforce.gr) Received: from [192.168.0.10] (athedsl-113309.home.otenet.gr [85.75.18.60]) by server4.cretaforce.gr (Postfix) with ESMTPA id 7ABD539884 for ; Fri, 12 Sep 2008 13:30:40 +0300 (EEST) From: Chris To: freebsd-net@freebsd.org Content-Type: text/plain Date: Fri, 12 Sep 2008 13:30:36 +0300 Message-Id: <1221215436.13772.15.camel@desktop.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 Content-Transfer-Encoding: 7bit Subject: FreeBSD 7.0 and vr0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 10:45:46 -0000 Hello, I have a FreeBSD 7.0 server with patch level 3 and no ipv6 services running. SSH / web-server / ftp server / etc stop responding but server responds to ping. A reboot fix this. The logs show nothing. Any idea what may be wrong? Regards, Chris Chatzaras From owner-freebsd-net@FreeBSD.ORG Sat Sep 13 14:17:09 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A9AF1065676 for ; Sat, 13 Sep 2008 14:17:09 +0000 (UTC) (envelope-from gaijin.k@gmail.com) Received: from mail-gx0-f17.google.com (mail-gx0-f17.google.com [209.85.217.17]) by mx1.freebsd.org (Postfix) with ESMTP id BBA5D8FC29 for ; Sat, 13 Sep 2008 14:17:08 +0000 (UTC) (envelope-from gaijin.k@gmail.com) Received: by gxk10 with SMTP id 10so20755547gxk.19 for ; Sat, 13 Sep 2008 07:17:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=enz8cqJWxJKzw14zOsUjDZ+OxK5RDEZUlbT1RCAIOSI=; b=Gxeq1P0NLYWJDii+LBGQJDIs2YRgiu7Gfft6vXWv5pePJcAYHBjWpsomxlG9KLpHqm AmD6m2GkA2dh+uTTQ2hL2amIJMw0f2WxC08SOqo9JQuvCnhCJJqd85ARv3EgPTkjRP5D AHLReeGlKUBnVUt7dhNUn+ZzgBzzyZooQ2/b8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=fmWQihx2PBZTRNo+u2QdL1vpIWoLeq6hAUIznz2QdRyxMxPAhOr5jYKjBJ5P8JfKto Gs1SjfP3tfoZSRFCqbvNIUYyRT+HgKidXQP2UXc0I60KVqgGhXxzlcLwpdABDcGxW3dj DJSNtB7MNLFDfsK+jCWoODMrincSey08ngLPo= Received: by 10.90.66.14 with SMTP id o14mr6728483aga.72.1221313824749; Sat, 13 Sep 2008 06:50:24 -0700 (PDT) Received: from ?10.0.3.231? ( [70.111.10.128]) by mx.google.com with ESMTPS id 34sm18903182agc.6.2008.09.13.06.50.23 (version=SSLv3 cipher=RC4-MD5); Sat, 13 Sep 2008 06:50:24 -0700 (PDT) From: "Alexandre \"Sunny\" Kovalenko" To: Rui Paulo In-Reply-To: <20080828002919.GA54169@alpha.local> References: <20080828002919.GA54169@alpha.local> Content-Type: text/plain; charset=utf-8 Date: Sat, 13 Sep 2008 09:50:11 -0400 Message-Id: <1221313811.1305.15.camel@RabbitsDen> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, freebsd-mobile@freebsd.org Subject: Re: HEADS UP: ath_hal updated to 0.10.5.10 -- PLEASE TEST X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 14:17:09 -0000 On Thu, 2008-08-28 at 01:29 +0100, Rui Paulo wrote: > Hi, > We've updated ath_hal in HEAD to 0.10.5.10. This supports a couple of > new chips, namely those on the Asus Eee PC, MacBooks and other laptops. > > If you have an Atheros or Atheros based card, I really wanted you to > test it. We were unable to test this in several Atheros chipsets, so > if you find a regression, please contact me or Sam Leffler > (sam@freebsd.org) ASAP. > So, please give it a try :-) I don't know if it is necessarily useful thing to report, but I have pulled it into RELENG_7 (as of August 29th) and so far I have not seen lookups, which were my regular fare with 0.9.20.3 and powerd. I see a lot of "bogus rix..." and "bogus ndx0..." messages flying by, but since nobody promised that this should work on RELENG_7, I don't think they are worth reporting ;) My hardware is ThinkPad X60: Sep 13 09:30:26 RabbitsDen kernel: ath_hal: 0.10.5.10 (AR5210, AR5211, AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, RF2133, RF2425, RF2417) Sep 13 09:30:27 RabbitsDen kernel: ath0: mem 0xedf00000-0xedf0ffff irq 17 at device 0.0 on pci3 Sep 13 09:30:27 RabbitsDen kernel: ath0: [ITHREAD] Sep 13 09:30:27 RabbitsDen kernel: ath0: WARNING: using obsoleted if_watchdog interface Sep 13 09:30:27 RabbitsDen kernel: ath0: Ethernet address: xx:xx:xx:xx:xx:xx Sep 13 09:30:27 RabbitsDen kernel: ath0: mac 10.3 phy 6.1 radio 10.2 > > Unfortuntely, this will only make 7.1 if the release date slips. So, > don't expect this to be MFCed any time soon. Those having troubles with 0.9.x.x should be able to pull it in without much difficulty, at least to give it a try. Thank you very much for doing this work! -- Alexandre "Sunny" Kovalenko (Олександр Коваленко) From owner-freebsd-net@FreeBSD.ORG Sat Sep 13 14:54:27 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D265106564A for ; Sat, 13 Sep 2008 14:54:27 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: from ik-out-1112.google.com (ik-out-1112.google.com [66.249.90.179]) by mx1.freebsd.org (Postfix) with ESMTP id E767B8FC12 for ; Sat, 13 Sep 2008 14:54:26 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: by ik-out-1112.google.com with SMTP id c29so1158569ika.3 for ; Sat, 13 Sep 2008 07:54:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:date:from:to:cc :subject:message-id:references:mime-version:content-type :content-disposition:in-reply-to:user-agent:sender; bh=bGmHP/mz/4nHdnfDse1aVPF6vF8AEG3SYQgU8vavJUY=; b=Zpc8FxvztCJb6+GXk2MAbmNwtlHFGyZq5uzOMmgygSYckhx5+ldk4oit9Wb4OIJHfE 4JnMnjhgjQhaCFVmUyBa79+qH0ll3sk2eoD0TBIoiWTlfXaq5DWGds9KlE1CGPne9vA1 aOuPneFB+AJzdYXEuNSn4q7ARyH8vN5W1ZaBA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent:sender; b=J5rqZN8/MyI6tdAJ/OXnFBIF/nH2KlqeIPYE9tqEZAzimf6wE4XKr260TR5YMhv4fb 0PQn6V0VPvvTDagEs9scyvgfs4XLyKyljd8Owo0vzFjfUFQ1e7SyZVMEnf6UyulvxWey Dp7/LrvmaT0j6uD0V5atdHWtw0LEEtZwOgmoE= Received: by 10.210.19.4 with SMTP id 4mr2095504ebs.48.1221317664953; Sat, 13 Sep 2008 07:54:24 -0700 (PDT) Received: from alpha.local ( [83.144.140.92]) by mx.google.com with ESMTPS id t2sm949929gve.9.2008.09.13.07.54.23 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 13 Sep 2008 07:54:23 -0700 (PDT) Received: by alpha.local (Postfix, from userid 1001) id 7BFE811500; Sat, 13 Sep 2008 15:51:45 +0100 (WEST) Date: Sat, 13 Sep 2008 15:51:45 +0100 From: Rui Paulo To: Alexandre Sunny Kovalenko Message-ID: <20080913145145.GA13435@alpha.local> References: <20080828002919.GA54169@alpha.local> <1221313811.1305.15.camel@RabbitsDen> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1221313811.1305.15.camel@RabbitsDen> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: Rui Paulo Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Rui Paulo , freebsd-mobile@freebsd.org Subject: Re: HEADS UP: ath_hal updated to 0.10.5.10 -- PLEASE TEST X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 14:54:27 -0000 On Sat, Sep 13, 2008 at 09:50:11AM -0400, Alexandre Sunny Kovalenko wrote: > On Thu, 2008-08-28 at 01:29 +0100, Rui Paulo wrote: > > Hi, > > We've updated ath_hal in HEAD to 0.10.5.10. This supports a couple of > > new chips, namely those on the Asus Eee PC, MacBooks and other laptops. > > > > If you have an Atheros or Atheros based card, I really wanted you to > > test it. We were unable to test this in several Atheros chipsets, so > > if you find a regression, please contact me or Sam Leffler > > (sam@freebsd.org) ASAP. > > So, please give it a try :-) > I don't know if it is necessarily useful thing to report, but I have > pulled it into RELENG_7 (as of August 29th) and so far I have not seen > lookups, which were my regular fare with 0.9.20.3 and powerd. Yes, I think I had them too sometimes. > I see a lot of "bogus rix..." and "bogus ndx0..." messages flying by, > but since nobody promised that this should work on RELENG_7, I don't > think they are worth reporting ;) They happen to me on HEAD too (but I think they are harmless). Regards, -- Rui Paulo From owner-freebsd-net@FreeBSD.ORG Sat Sep 13 17:26:00 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64CD61065671 for ; Sat, 13 Sep 2008 17:26:00 +0000 (UTC) (envelope-from gaijin.k@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.245]) by mx1.freebsd.org (Postfix) with ESMTP id 112118FC23 for ; Sat, 13 Sep 2008 17:25:59 +0000 (UTC) (envelope-from gaijin.k@gmail.com) Received: by an-out-0708.google.com with SMTP id b33so152114ana.13 for ; Sat, 13 Sep 2008 10:25:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; bh=38TaopU5rsZUU+IFgT+GqSO5jf02Gz4e4yqm8t32x+k=; b=L+8i7d986VhmKnOzZ653w+33DydRQopa2+Rj/UKlYT1vSHy8KRldzOGeDuo6rIIPds FKCsgFM9dL76O3SoC/qDc1mNvJn/8MpbuNbVMR2FuawyjffolpQjqfQOz7Je7vEcRZ7q yQ4kYXql44po0EeLZTTH0+sG8M4eKzVp7b9Oo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:x-mailer:content-transfer-encoding; b=AtxMhUruZOk1BGAz9Y/7qDXFpDHKKc8XdAAYNREw9x/nNx3HZxhVFD2kpNLuGp9OFd acm1NKItkj7EdXFDQW6JmoqY094RUaI+eBKyKp1ts2DgiaxZYAPrmgx6mO8KhB0b5Fnj HeNh/+Gw1zjC3lBgQDGcC+5z9ii2LZCIw83LM= Received: by 10.100.225.19 with SMTP id x19mr6561141ang.152.1221326759240; Sat, 13 Sep 2008 10:25:59 -0700 (PDT) Received: from ?10.0.3.231? ( [70.111.10.128]) by mx.google.com with ESMTPS id i15sm4664276wxd.1.2008.09.13.10.25.56 (version=SSLv3 cipher=RC4-MD5); Sat, 13 Sep 2008 10:25:58 -0700 (PDT) From: "Alexandre \"Sunny\" Kovalenko" To: Kostik Belousov In-Reply-To: <20080913150553.GV39652@deviant.kiev.zoral.com.ua> References: <20080828002919.GA54169@alpha.local> <1221313811.1305.15.camel@RabbitsDen> <20080913145145.GA13435@alpha.local> <20080913150553.GV39652@deviant.kiev.zoral.com.ua> Content-Type: text/plain; charset=utf-8 Date: Sat, 13 Sep 2008 13:25:44 -0400 Message-Id: <1221326744.1305.28.camel@RabbitsDen> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Rui Paulo Subject: Re: HEADS UP: ath_hal updated to 0.10.5.10 -- PLEASE TEST X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 17:26:00 -0000 On Sat, 2008-09-13 at 18:05 +0300, Kostik Belousov wrote: > On Sat, Sep 13, 2008 at 03:51:45PM +0100, Rui Paulo wrote: > > On Sat, Sep 13, 2008 at 09:50:11AM -0400, Alexandre Sunny Kovalenko wrote: > > > On Thu, 2008-08-28 at 01:29 +0100, Rui Paulo wrote: > > > > Hi, > > > > We've updated ath_hal in HEAD to 0.10.5.10. This supports a couple of > > > > new chips, namely those on the Asus Eee PC, MacBooks and other laptops. > > > > > > > > If you have an Atheros or Atheros based card, I really wanted you to > > > > test it. We were unable to test this in several Atheros chipsets, so > > > > if you find a regression, please contact me or Sam Leffler > > > > (sam@freebsd.org) ASAP. > > > > So, please give it a try :-) > > > I don't know if it is necessarily useful thing to report, but I have > > > pulled it into RELENG_7 (as of August 29th) and so far I have not seen > > > lookups, which were my regular fare with 0.9.20.3 and powerd. > > > > Yes, I think I had them too sometimes. > > > > > I see a lot of "bogus rix..." and "bogus ndx0..." messages flying by, > > > but since nobody promised that this should work on RELENG_7, I don't > > > think they are worth reporting ;) > > > > They happen to me on HEAD too (but I think they are harmless). > > Are there estimations for the MFC ? Obviously, after 7.1, but how long ? I think (sm) that if everyone interested in MFC and running RELENG_7 would replace his local copy of /usr/src/sys/contrib/dev/ath with the one from the HEAD, rebuild his kernel, or, as it was the case for me, ath_hal.ko and if_ath.ko, run with it for a while and report success back to this list, we can speed this up dramatically. In my experience, replacing 9.x.x.x HAL that came with RELENG_7 with this one solved at least one persistent and annoying problem, and so far has not shown any regressions. YMMV. But then again, I am not the one who would be doing MFC, so this is just an assumption on my part, not necessarily correct or useful. -- Alexandre "Sunny" Kovalenko (Олександр Коваленко) From owner-freebsd-net@FreeBSD.ORG Sat Sep 13 17:42:13 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B85F106566C for ; Sat, 13 Sep 2008 17:42:13 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id DF8BD8FC14 for ; Sat, 13 Sep 2008 17:42:12 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 26A1141C6DB for ; Sat, 13 Sep 2008 19:42:11 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id v-xZDX5RRkhy for ; Sat, 13 Sep 2008 19:42:08 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id B7B6541C6A1; Sat, 13 Sep 2008 19:42:08 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 5E61E44487F for ; Sat, 13 Sep 2008 17:41:51 +0000 (UTC) Date: Sat, 13 Sep 2008 17:41:51 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: freebsd-net@freebsd.org Message-ID: <20080913173441.F65801@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: TCP-MD5 support for IPv6 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 17:42:13 -0000 Hi, I just committed IPv6 TCP-MD5 support for HEAD. This gives one the ability to send the TCP signature but as with IPv4 there is no input path validation and we need to enhance the key management, etc.. But that's another story. For now I have an additional hack that enables sending ... for IPv4 and IPv6: - ACK from timewait - inital RST after socket close (as long as possible) For both changes, one needs to hack up TCP in a very bad way as we lose the "signature flag" on the way down. Multiple TCP exit paths do not help with this either. Nick (thanks!) had tried it and given me tcpdumps and they looked sane. In case you can use it as well, the patch, temporary, is here: http://people.freebsd.org/~bz/20080913-02-tcp-md5-ack-rst.diff This is the "more changes" I mentioned in the commit message. Regards, Bjoern -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. ---------- Forwarded message ---------- Date: Sat, 13 Sep 2008 17:26:46 +0000 (UTC) From: Bjoern A. Zeeb To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/netinet tcp_output.c tcp_subr.c tcp_syncache.c bz 2008-09-13 17:26:46 UTC FreeBSD src repository Modified files: sys/netinet tcp_output.c tcp_subr.c tcp_syncache.c Log: SVN rev 183001 on 2008-09-13 17:26:46Z by bz Implement IPv6 support for TCP MD5 Signature Option (RFC 2385) the same way it has been implemented for IPv4. Reviewed by: bms (skimmed) Tested by: Nick Hilliard (nick netability.ie) (with more changes) MFC after: 2 months Revision Changes Path 1.155 +1 -8 src/sys/netinet/tcp_output.c 1.316 +93 -24 src/sys/netinet/tcp_subr.c 1.156 +1 -1 src/sys/netinet/tcp_syncache.c From owner-freebsd-net@FreeBSD.ORG Sat Sep 13 18:27:01 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BBEFB1065675 for ; Sat, 13 Sep 2008 18:27:01 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id 370768FC0C for ; Sat, 13 Sep 2008 18:27:01 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: by ey-out-2122.google.com with SMTP id 6so550850eyi.7 for ; Sat, 13 Sep 2008 11:27:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:date:from:to:cc :subject:message-id:references:mime-version:content-type :content-disposition:in-reply-to:user-agent:sender; bh=bDQSaKeM0IaCqeH2aFqkciEs9Lt4GoAOqm7ZVOt7bkA=; b=kgUi3sjTybY9He8WkXX6YjDG6UrBUAHefxRTAUSiJxs42IraiPmDdYrzZKFXdaUyEa iVBHZJDQlm29imJXwEEFkWy9tYvh7+ozt50fafGvyJEQ7zBuHUOMZwDCybB31QqH5sEq 9RxvW1lXNfnGwu3ugpQs0YiIOhW6pnM4kHW68= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent:sender; b=Zh1L6w8FFMX6Gu8aE1i5Nr1HGuz1yh6w0Jxww3AUo507yWEkibGtO1eSwNAoXnSlNd Ib8WTENyPTIgUDoWQ/LS1qNG2jp+ylzyS0R/7NzRKgrmho9eb/C/KJ/sfHr8rfg0MYha ehfeTM3DYCzsvaGeRE0fSQ7RkcRjzZRiTQYw8= Received: by 10.210.120.17 with SMTP id s17mr7107430ebc.177.1221330419994; Sat, 13 Sep 2008 11:26:59 -0700 (PDT) Received: from alpha.local ( [83.144.140.92]) by mx.google.com with ESMTPS id p10sm1294943gvf.7.2008.09.13.11.26.58 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 13 Sep 2008 11:26:59 -0700 (PDT) Received: by alpha.local (Postfix, from userid 1001) id 4C34B11142; Sat, 13 Sep 2008 19:24:12 +0100 (WEST) Date: Sat, 13 Sep 2008 19:24:12 +0100 From: Rui Paulo To: Alexandre Sunny Kovalenko Message-ID: <20080913182412.GA6850@alpha.local> References: <20080828002919.GA54169@alpha.local> <1221313811.1305.15.camel@RabbitsDen> <20080913145145.GA13435@alpha.local> <20080913150553.GV39652@deviant.kiev.zoral.com.ua> <1221326744.1305.28.camel@RabbitsDen> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1221326744.1305.28.camel@RabbitsDen> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: Rui Paulo Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org Subject: Re: HEADS UP: ath_hal updated to 0.10.5.10 -- PLEASE TEST X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 18:27:01 -0000 On Sat, Sep 13, 2008 at 01:25:44PM -0400, Alexandre Sunny Kovalenko wrote: > Are there estimations for the MFC ? Obviously, after 7.1, but how long ? > I think (sm) that if everyone interested in MFC and running RELENG_7 > would replace his local copy of /usr/src/sys/contrib/dev/ath with the > one from the HEAD, rebuild his kernel, or, as it was the case for me, > ath_hal.ko and if_ath.ko, run with it for a while and report success > back to this list, we can speed this up dramatically. In my experience, > replacing 9.x.x.x HAL that came with RELENG_7 with this one solved at > least one persistent and annoying problem, and so far has not shown any > regressions. YMMV. > > But then again, I am not the one who would be doing MFC, so this is just > an assumption on my part, not necessarily correct or useful. I may do an MFC in medium-to-long time, but there are some changes in the code that I need to clear up with Sam. So, expect this only in 7.2. Regards, -- Rui Paulo From owner-freebsd-net@FreeBSD.ORG Sat Sep 13 19:22:02 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED4C9106564A; Sat, 13 Sep 2008 19:22:02 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.terabit.net.ua (mail.terabit.net.ua [195.137.202.147]) by mx1.freebsd.org (Postfix) with ESMTP id 856128FC2A; Sat, 13 Sep 2008 19:22:02 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from skuns.zoral.com.ua ([91.193.166.194] helo=mail.zoral.com.ua) by mail.terabit.net.ua with esmtp (Exim 4.63 (FreeBSD)) (envelope-from ) id 1KeWhA-00088B-I1; Sat, 13 Sep 2008 18:05:56 +0300 Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id m8DF5rk4008687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 13 Sep 2008 18:05:54 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.2/8.14.2) with ESMTP id m8DF5rJS093336; Sat, 13 Sep 2008 18:05:53 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.3/8.14.3/Submit) id m8DF5rA7093335; Sat, 13 Sep 2008 18:05:53 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Sat, 13 Sep 2008 18:05:53 +0300 From: Kostik Belousov To: Rui Paulo Message-ID: <20080913150553.GV39652@deviant.kiev.zoral.com.ua> References: <20080828002919.GA54169@alpha.local> <1221313811.1305.15.camel@RabbitsDen> <20080913145145.GA13435@alpha.local> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="E9b8Qrao4pLwl/2H" Content-Disposition: inline In-Reply-To: <20080913145145.GA13435@alpha.local> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: ClamAV version 0.93.3, clamav-milter version 0.93.3 on skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua X-Virus-Scanned: mail.terabit.net.ua 1KeWhA-00088B-I1 90ecda623722b65b453fa82293f3cef5 X-Terabit: YES Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Alexandre Sunny Kovalenko Subject: Re: HEADS UP: ath_hal updated to 0.10.5.10 -- PLEASE TEST X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 19:22:03 -0000 --E9b8Qrao4pLwl/2H Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 13, 2008 at 03:51:45PM +0100, Rui Paulo wrote: > On Sat, Sep 13, 2008 at 09:50:11AM -0400, Alexandre Sunny Kovalenko wrote: > > On Thu, 2008-08-28 at 01:29 +0100, Rui Paulo wrote: > > > Hi, > > > We've updated ath_hal in HEAD to 0.10.5.10. This supports a couple of > > > new chips, namely those on the Asus Eee PC, MacBooks and other laptop= s. > > >=20 > > > If you have an Atheros or Atheros based card, I really wanted you to > > > test it. We were unable to test this in several Atheros chipsets, so > > > if you find a regression, please contact me or Sam Leffler > > > (sam@freebsd.org) ASAP. > > > So, please give it a try :-) > > I don't know if it is necessarily useful thing to report, but I have > > pulled it into RELENG_7 (as of August 29th) and so far I have not seen > > lookups, which were my regular fare with 0.9.20.3 and powerd. >=20 > Yes, I think I had them too sometimes. >=20 > > I see a lot of "bogus rix..." and "bogus ndx0..." messages flying by, > > but since nobody promised that this should work on RELENG_7, I don't > > think they are worth reporting ;) >=20 > They happen to me on HEAD too (but I think they are harmless). Are there estimations for the MFC ? Obviously, after 7.1, but how long ? --E9b8Qrao4pLwl/2H Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkjL1tAACgkQC3+MBN1Mb4iiMQCgm0lc1oFKnb8X8v9e3ZkIsTWa NTkAoMU2QzGfgZ0eb9EexlhYT2uCnZZT =0hFM -----END PGP SIGNATURE----- --E9b8Qrao4pLwl/2H-- From owner-freebsd-net@FreeBSD.ORG Sat Sep 13 22:36:01 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 068EF1065678; Sat, 13 Sep 2008 22:36:01 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DA7628FC12; Sat, 13 Sep 2008 22:36:00 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8DMa06o074585; Sat, 13 Sep 2008 22:36:00 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8DMZxs0074581; Sat, 13 Sep 2008 22:35:59 GMT (envelope-from remko) Date: Sat, 13 Sep 2008 22:35:59 GMT Message-Id: <200809132235.m8DMZxs0074581@freefall.freebsd.org> To: admin@netadmin.ru, remko@FreeBSD.org, freebsd-net@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/127266: [gif] gif tunnel error ifconfig: SIOCSIFPHYADDR: Can't assign requested address X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2008 22:36:01 -0000 Synopsis: [gif] gif tunnel error ifconfig: SIOCSIFPHYADDR: Can't assign requested address State-Changed-From-To: open->closed State-Changed-By: remko State-Changed-When: Sat Sep 13 22:35:59 UTC 2008 State-Changed-Why: Both Edwin (public reply) and I (private reply) mentioned the same problem. Most likely this is the issue. Please reply to one of our emails to get this further if needed. http://www.freebsd.org/cgi/query-pr.cgi?pr=127266