From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 30 11:06:55 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00D57106567C for ; Mon, 30 Mar 2009 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E141E8FC3A for ; Mon, 30 Mar 2009 11:06:54 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n2UB6sEr054780 for ; Mon, 30 Mar 2009 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n2UB6sai054776 for freebsd-ipfw@FreeBSD.org; Mon, 30 Mar 2009 11:06:54 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Mar 2009 11:06:54 GMT Message-Id: <200903301106.n2UB6sai054776@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Mar 2009 11:06:55 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 57 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 31 08:08:15 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA5CA106566B for ; Tue, 31 Mar 2009 08:08:15 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 896AD8FC23 for ; Tue, 31 Mar 2009 08:08:14 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1LoYlG-0005Jd-06 for freebsd-ipfw@freebsd.org; Tue, 31 Mar 2009 00:51:54 -0700 Message-ID: <22800054.post@talk.nabble.com> Date: Tue, 31 Mar 2009 00:51:53 -0700 (PDT) From: zgabe To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: zgabe84@gmail.com Subject: FreeBSD 7.1 IPv6 multihoming problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2009 08:08:16 -0000 Hi All, I am using laptop, FreeBSD 7.1 connecting to two ISPs (wlan and ppp) and I have IPv6 addresses. 'netstat -rn' says there is only one default gateway (for example wlan's default gateway). My problem is the following: If I ping the ppp tunnel from an other computer, my laptop recieves the ICMP6 echo request over the ppp tunnel, but it answers over the wlan interface. I read some similar posts (only ipv4) about forwarding with IPFW, but I was unable to solve my problem until now. I built a kernel with the following options: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD and put these lines to my rc.conf firewall_enable="YES" firewall_type="open" as the handbook says. I use the following command as root: ipfw add 101 fwd pppgateway ipv6 from pppaddress to any (pppgateway and pppaddress ipv6 addresses) It throws "getsockopt(IP_FW_ADD): Invalid argument" error! I have tried to set the following variables but the problem is still the same. sysctl -w net.inet.ip.forwarding=1 and sysctl -w net.inet6.ip6.forwarding=1 Thoughts? -- View this message in context: http://www.nabble.com/FreeBSD-7.1-IPv6-multihoming-problem-tp22800054p22800054.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 31 08:08:16 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F5A51065672 for ; Tue, 31 Mar 2009 08:08:16 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id E22188FC24 for ; Tue, 31 Mar 2009 08:08:15 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1LoYmC-0005M8-H8 for freebsd-ipfw@freebsd.org; Tue, 31 Mar 2009 00:52:52 -0700 Message-ID: <22800054.post@talk.nabble.com> Date: Tue, 31 Mar 2009 00:52:52 -0700 (PDT) From: zgabe To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: zgabe84@gmail.com Subject: FreeBSD 7.1 IPv6 multihoming problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2009 08:08:16 -0000 Hi All, I am using laptop, FreeBSD 7.1 connecting to two ISPs (wlan and ppp) and I have IPv6 addresses. 'netstat -rn' says there is only one default gateway (for example wlan's default gateway). My problem is the following: If I ping the ppp tunnel from an other computer, my laptop recieves the ICMP6 echo request over the ppp tunnel, but it answers over the wlan interface. I read some similar posts (only ipv4) about forwarding with IPFW, but I was unable to solve my problem until now. I built a kernel with the following options: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD and put these lines to my rc.conf firewall_enable="YES" firewall_type="open" as the handbook says. I use the following command as root: ipfw add 101 fwd pppgateway ipv6 from pppaddress to any (pppgateway and pppaddress ipv6 addresses) It throws "getsockopt(IP_FW_ADD): Invalid argument" error! I have tried to set the following variables but the problem is still the same. sysctl -w net.inet.ip.forwarding=1 and sysctl -w net.inet6.ip6.forwarding=1 Can anybody help me? -- View this message in context: http://www.nabble.com/FreeBSD-7.1-IPv6-multihoming-problem-tp22800054p22800054.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 31 17:15:30 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B66DD1065787 for ; Tue, 31 Mar 2009 17:15:30 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from batman.home4u.ch (6to4.home4u.ch [IPv6:2002:d908:d3e2::1]) by mx1.freebsd.org (Postfix) with ESMTP id 3ECFE8FC12 for ; Tue, 31 Mar 2009 17:15:29 +0000 (UTC) (envelope-from fabian@wenks.ch) Received: from flashback.wenks.ch (flashback.wenks.ch [IPv6:2002:3e02:55b4:2:20a:95ff:fe8f:6586]) (authenticated bits=0) by batman.home4u.ch (8.14.2/8.14.2) with ESMTP id n2VHFPQ4096599 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 31 Mar 2009 19:15:27 +0200 (CEST) (envelope-from fabian@wenks.ch) Message-ID: <49D24FA8.5040904@wenks.ch> Date: Tue, 31 Mar 2009 19:15:20 +0200 From: Fabian Wenk User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <22800054.post@talk.nabble.com> In-Reply-To: <22800054.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new Subject: Re: FreeBSD 7.1 IPv6 multihoming problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2009 17:15:33 -0000 Hello On 31.03.09 09:51, zgabe wrote: > I use the following command as root: > ipfw add 101 fwd pppgateway ipv6 from pppaddress to any > > (pppgateway and pppaddress ipv6 addresses) > > It throws "getsockopt(IP_FW_ADD): Invalid argument" error! > Thoughts? I do have a similar setup, which works fine with IPv4, but with similar problems on FreeBSD 6.x with IPv6, see "bin/117214: ipfw(8) fwd with IPv6 treats input as IPv4" [1] for the bug report I had submitted. [1] http://www.freebsd.org/cgi/query-pr.cgi?pr=117214 Probably I should try my setup with 7.1 once, currently it is still running with 6.x. bye Fabian From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 31 20:38:28 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7AB41065692 for ; Tue, 31 Mar 2009 20:38:28 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outG.internet-mail-service.net (outg.internet-mail-service.net [216.240.47.230]) by mx1.freebsd.org (Postfix) with ESMTP id D084E8FC22 for ; Tue, 31 Mar 2009 20:38:28 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id C235613DBB; Tue, 31 Mar 2009 13:38:28 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 70DD92D6092; Tue, 31 Mar 2009 13:38:25 -0700 (PDT) Message-ID: <49D27F5C.7030506@elischer.org> Date: Tue, 31 Mar 2009 13:38:52 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: zgabe References: <22800054.post@talk.nabble.com> In-Reply-To: <22800054.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 7.1 IPv6 multihoming problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2009 20:38:29 -0000 zgabe wrote: > Hi All, > > I am using laptop, FreeBSD 7.1 connecting to two ISPs (wlan and ppp) and I > have IPv6 addresses. 'netstat -rn' says there is only one default gateway > (for example wlan's default gateway). My problem is the following: > If I ping the ppp tunnel from an other computer, my laptop recieves the > ICMP6 echo request over the ppp tunnel, but it answers over the wlan > interface. I read some similar posts (only ipv4) about forwarding with IPFW, > but I was unable to solve my problem until now. > > I built a kernel with the following options: > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_DEFAULT_TO_ACCEPT > options IPFIREWALL_FORWARD > > and put these lines to my rc.conf > firewall_enable="YES" > firewall_type="open" > > as the handbook says. > > I use the following command as root: > ipfw add 101 fwd pppgateway ipv6 from pppaddress to any > > (pppgateway and pppaddress ipv6 addresses) > > It throws "getsockopt(IP_FW_ADD): Invalid argument" error! > > I have tried to set the following variables but the problem is still the > same. > sysctl -w net.inet.ip.forwarding=1 and > sysctl -w net.inet6.ip6.forwarding=1 > > Can anybody help me? > the theory with multihoming is that unless you are the holder of a class-C (/24) you basically have to do it using NAT. You have to make some subset of your traffic use one NAT while the remainder uses another (or is untranslated). Unfortunately we don't have NAT for IPV6. I don't know how that gets solved.. From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 1 20:47:22 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A86C3106564A for ; Wed, 1 Apr 2009 20:47:22 +0000 (UTC) (envelope-from dev+lists@humph.com) Received: from ns.ondecorte.net (ns.ondecorte.net [78.4.156.158]) by mx1.freebsd.org (Postfix) with ESMTP id 5B9918FC19 for ; Wed, 1 Apr 2009 20:47:22 +0000 (UTC) (envelope-from dev+lists@humph.com) Received: from 88-149-183-86.static.ngi.it ([88.149.183.86] helo=[192.168.69.4]) by ns.ondecorte.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id KHFV9W-00048P-CY; Wed, 01 Apr 2009 22:22:44 +0200 Message-Id: <54A338F9-D66C-4406-804C-7443798931C8@humph.com> From: Giuliano Gavazzi To: zgabe In-Reply-To: <49D27F5C.7030506@elischer.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Wed, 1 Apr 2009 22:22:43 +0200 References: <22800054.post@talk.nabble.com> <49D27F5C.7030506@elischer.org> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 7.1 IPv6 multihoming problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Apr 2009 20:47:23 -0000 Sorry Julian, I wrongly sent my reply to you! On T 31 Mar, 2009, at 22:38 , Julian Elischer wrote: > zgabe wrote: >> Hi All, I am using laptop, FreeBSD 7.1 connecting to two ISPs (wlan >> and ppp) and I >> have IPv6 addresses. 'netstat -rn' says there is only one default >> gateway >> (for example wlan's default gateway). My problem is the following: >> If I ping the ppp tunnel from an other computer, my laptop recieves >> the >> ICMP6 echo request over the ppp tunnel, but it answers over the wlan >> interface. I read some similar posts (only ipv4) about forwarding >> with IPFW, >> but I was unable to solve my problem until now. > [...] > > the theory with multihoming is that unless you are the holder of a > class-C (/24) you basically have to do it using NAT. > You have to make some subset of your traffic use one NAT while the > remainder uses another (or is untranslated). > Unfortunately we don't have NAT for IPV6. I don't know how that > gets solved.. I am not sure I understand how NAT would solve the routing problem. Doesn't a packet have the next hop set according to the destination, that is anything not for a locally attached network will go to the default router? Zgabe is correct in trying to use fwd, I use that to route packets according to the source. I use this method, in ipv4, although perhaps too intrusively as I also fwd packets that should go to the default route (which could be instead just accept'ed), but this is another topic. For zgabe problem, aren't packets coming from the pppaddress going through the ppp interface. So why don't you try to select them by the interface (and the direction they go through it, as in out xmit ppp) rather than by protocol? Not sure how will you enter an ipv6 address as a forwarding one, it does not work on my setup (macos). g From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 2 09:24:11 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8555A106564A for ; Thu, 2 Apr 2009 09:24:11 +0000 (UTC) (envelope-from zgabe84@gmail.com) Received: from mail-fx0-f167.google.com (mail-fx0-f167.google.com [209.85.220.167]) by mx1.freebsd.org (Postfix) with ESMTP id 298778FC13 for ; Thu, 2 Apr 2009 09:24:09 +0000 (UTC) (envelope-from zgabe84@gmail.com) Received: by fxm11 with SMTP id 11so395307fxm.43 for ; Thu, 02 Apr 2009 02:24:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=nAaqwwajEpX2fa9Q3CHZv0cwQ4OuR2vHa4a+IgFA1Pw=; b=BlOxai32l1QXMkvYteWyYYByvjaClnix4dUvC7P8IbdPlewBG66sZIvcFgfTLux90U UYr5Tetf7TvbDLX9pz34yCHaIbSs2l1hPm83K/fPBRSloanPg9Ci76tkPb/ieCL4H6ar xV/6UKUOTCxp63GY5LQJrqsFIeE/k0fw5WJCM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=tQri6bomdHsOK1pyVfY7RSzfOnDPIk7EDRxerQSz6+Od0agSoGH/I61XAJPiCAFovY mcLbya/kKFl86/+8TnNAh7gAJxUg+5vMhJrJf1kK2iy8i6jDgFk8nhlkdp1CeVaQ7L2a ZXLG0tuVQ9rkvlg/uKm3/6i9sjkSW+gzJxhKw= MIME-Version: 1.0 Received: by 10.223.113.199 with SMTP id b7mr7018598faq.82.1238662968920; Thu, 02 Apr 2009 02:02:48 -0700 (PDT) In-Reply-To: <54A338F9-D66C-4406-804C-7443798931C8@humph.com> References: <22800054.post@talk.nabble.com> <49D27F5C.7030506@elischer.org> <54A338F9-D66C-4406-804C-7443798931C8@humph.com> Date: Thu, 2 Apr 2009 11:02:48 +0200 Message-ID: <75e73d840904020202q28db47e6u663a9e0bfb32a6e@mail.gmail.com> From: =?ISO-8859-1?Q?Z=F6ld?= To: julian@elischer.org, Giuliano Gavazzi Content-Type: multipart/mixed; boundary=001636c597b8424a4504668eb268 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: FreeBSD 7.1 IPv6 multihoming problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 09:24:11 -0000 --001636c597b8424a4504668eb268 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi guys! I attached my testbed! It's a small testbed, I don't need to look onto the internet. The wlan gets an address from 2001:738:2001:2082::/64 Th= e phone gets an address from 2001:738:2001:20a9::/64 The server in the 2001:738:2001:2081:/64 network. I would like to make some SCTP failover measurement between the laptop and SCTP server. I need a solution where the packets go via the proper interfaces. (ipfw fwd doesn't work) Static routes don't operate, because the packets always out on the default gateway. I work on my thesis and I haven't got too much time. Can you explain an exact solution? Regards G=E1bor Z=F6ld 2009/4/1 Giuliano Gavazzi > > Sorry Julian, I wrongly sent my reply to you! > > On T 31 Mar, 2009, at 22:38 , Julian Elischer wrote: > > zgabe wrote: >> >>> Hi All, I am using laptop, FreeBSD 7.1 connecting to two ISPs (wlan and >>> ppp) and I >>> have IPv6 addresses. 'netstat -rn' says there is only one default gatew= ay >>> (for example wlan's default gateway). My problem is the following: If I >>> ping the ppp tunnel from an other computer, my laptop recieves the >>> ICMP6 echo request over the ppp tunnel, but it answers over the wlan >>> interface. I read some similar posts (only ipv4) about forwarding with >>> IPFW, >>> but I was unable to solve my problem until now. >>> >> >> [...] > >> >> the theory with multihoming is that unless you are the holder of a class= -C >> (/24) you basically have to do it using NAT. >> You have to make some subset of your traffic use one NAT while the >> remainder uses another (or is untranslated). >> Unfortunately we don't have NAT for IPV6. I don't know how that >> gets solved.. >> > > I am not sure I understand how NAT would solve the routing problem. Doesn= 't > a packet have the next hop set according to the destination, that is > anything not for a locally attached network will go to the default router= ? > Zgabe is correct in trying to use fwd, I use that to route packets > according to the source. I use this method, in ipv4, although perhaps too > intrusively as I also fwd packets that should go to the default route (wh= ich > could be instead just accept'ed), but this is another topic. > > For zgabe problem, aren't packets coming from the pppaddress going throug= h > the ppp interface. So why don't you try to select them by the interface (= and > the direction they go through it, as in out xmit ppp) rather than by > protocol? Not sure how will you enter an ipv6 address as a forwarding one= , > it does not work on my setup (macos). > > g > --001636c597b8424a4504668eb268-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 2 11:22:08 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F4C510656D4 for ; Thu, 2 Apr 2009 11:22:08 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from contactlab34-bk-3.contactlab.it (contactlab34-bk-3.contactlab.it [93.94.34.3]) by mx1.freebsd.org (Postfix) with ESMTP id CED248FC4F for ; Thu, 2 Apr 2009 11:22:07 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) DKIM-Signature: v=1; a=rsa-sha1; d=contactlab.it; s=s768; c=simple/simple; q=dns/txt; i=@contactlab.it; t=1238670060; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=ovojCWfEovtfREXxZpdbcROmBjw=; b=tlkZiYMhGtyX3fAsiVHCYh6Say7j7n/wNCzxIqHPaDPQJXR5B4D7OOWl3Y79rE/t nFFUk1j5DHeznBMxNAU13qMEzIm9Xaj3+AUoJK07YPPfa7WzG1TQMLvCK9huMhKB; Received: from [213.92.0.53] ([213.92.0.53:59232] helo=mail0.tomato.it) by vmta3.contactlab.it (envelope-from ) (ecelerity 2.2.2.37 r(28822M)) with ESMTP id B1/6F-11151-CEA94D94; Thu, 02 Apr 2009 13:01:00 +0200 Received: from ferret.tomato.lan (fast.tomato.it [62.101.64.91]) by mail0.tomato.it (Postfix) with ESMTP id 1FBCB2842E; Thu, 2 Apr 2009 13:01:23 +0200 (CEST) Message-ID: <49D49AEB.20701@oltrelinux.com> Date: Thu, 02 Apr 2009 13:00:59 +0200 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.19 (X11/20090226) MIME-Version: 1.0 To: Luigi Rizzo References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it> <49C01E08.9050709@oltrelinux.com> <20090317223511.GB95451@onelab2.iet.unipi.it> In-Reply-To: <20090317223511.GB95451@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov , Alex Dupre Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 11:22:09 -0000 Luigi Rizzo wrote: > > Ok then we may have a plan: > > you could do is implement REASS as an action (not as a microinstruction), > with the following behaviour: > > - if the packet is a complete one, the rule behaves as a "count" > (i.e. the firewall continues with the next rule); > > - if the packet is a fragment and can be reassembled, the rule > behaves as a "count" and the mbuf is replaced with the full packet; > > - if the packet is a fragment and cannot be reassembled, the > rule behaves as a "drop" (i.e. processing stops) > and the packet is swallowed by ipfw. > > This seems a useful behaviour, but it must be documented very > clearly because it is not completely intuitive. Perhaps we should > find a more descriptive name. > committed yesterday in HEAD as "reass" action, and here is the 7.x patch: http://people.freebsd.org/~piso/ipfw-reass-7x.diff -- bye, P. From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 2 11:27:23 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF7A1106566B; Thu, 2 Apr 2009 11:27:23 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.9.129]) by mx1.freebsd.org (Postfix) with ESMTP id 6D12A8FC16; Thu, 2 Apr 2009 11:27:23 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id E8A3F73098; Thu, 2 Apr 2009 13:32:31 +0200 (CEST) Date: Thu, 2 Apr 2009 13:32:31 +0200 From: Luigi Rizzo To: Paolo Pisati Message-ID: <20090402113231.GB6577@onelab2.iet.unipi.it> References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it> <49C01E08.9050709@oltrelinux.com> <20090317223511.GB95451@onelab2.iet.unipi.it> <49D49AEB.20701@oltrelinux.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <49D49AEB.20701@oltrelinux.com> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov , Alex Dupre Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 11:27:24 -0000 On Thu, Apr 02, 2009 at 01:00:59PM +0200, Paolo Pisati wrote: > Luigi Rizzo wrote: > > > >Ok then we may have a plan: > > > >you could do is implement REASS as an action (not as a microinstruction), > >with the following behaviour: > > > >- if the packet is a complete one, the rule behaves as a "count" > > (i.e. the firewall continues with the next rule); > > > >- if the packet is a fragment and can be reassembled, the rule > > behaves as a "count" and the mbuf is replaced with the full packet; > > > >- if the packet is a fragment and cannot be reassembled, the > > rule behaves as a "drop" (i.e. processing stops) > > and the packet is swallowed by ipfw. > > > >This seems a useful behaviour, but it must be documented very > >clearly because it is not completely intuitive. Perhaps we should > >find a more descriptive name. > > > committed yesterday in HEAD as "reass" action, and here is the 7.x > patch: http://people.freebsd.org/~piso/ipfw-reass-7x.diff Good job. Can you put a description in the manpage especially on the assumptions and side effects of the reass option ? E.g. as i read it, + you need to make sure that the fragments are not dropped before the 'reass' (so you cannot rely on port numbers to decide accept or deny). This is obvious but a very common mistake; + reass silently queues the fragment if it does not reass, so it opens up a bit of vulnerability. Again obvious, but people won't realise if they don't see the code. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 2 11:51:56 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AAF5106566B for ; Thu, 2 Apr 2009 11:51:56 +0000 (UTC) (envelope-from dev+lists@humph.com) Received: from ns.ondecorte.net (outgoing.humph.com [78.4.156.158]) by mx1.freebsd.org (Postfix) with ESMTP id B0A738FC0C for ; Thu, 2 Apr 2009 11:51:55 +0000 (UTC) (envelope-from dev+lists@humph.com) Received: from 88-149-183-86.static.ngi.it ([88.149.183.86] helo=[192.168.69.4]) by ns.ondecorte.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id KHH2AE-00019Z-B7; Thu, 02 Apr 2009 13:51:51 +0200 Message-Id: <9173F1D4-5497-4D1D-B478-009A64E41B50@humph.com> From: Giuliano Gavazzi To: =?ISO-8859-1?Q?Z=F6ld?= In-Reply-To: <75e73d840904020202q28db47e6u663a9e0bfb32a6e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v930.3) Date: Thu, 2 Apr 2009 13:51:48 +0200 References: <22800054.post@talk.nabble.com> <49D27F5C.7030506@elischer.org> <54A338F9-D66C-4406-804C-7443798931C8@humph.com> <75e73d840904020202q28db47e6u663a9e0bfb32a6e@mail.gmail.com> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-ipfw@freebsd.org, julian@elischer.org Subject: Re: FreeBSD 7.1 IPv6 multihoming problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 11:51:56 -0000 On T 2 Apr, 2009, at 11:02 , Z=F6ld wrote: > Hi guys! I attached my testbed! It's a small testbed, I don't need =20 > to look > onto the internet. The wlan gets an address from =20 > 2001:738:2001:2082::/64 The > phone gets an address from 2001:738:2001:20a9::/64 The server in the > 2001:738:2001:2081:/64 network. > I would like to make some SCTP failover measurement between the =20 > laptop and > SCTP server. I need a solution where the packets go via the proper > interfaces. (ipfw fwd doesn't work) > Static routes don't operate, because the packets always out on the =20 > default > gateway. > I work on my thesis and I haven't got too much time. Can you explain =20= > an > exact solution? what I called routing a packet according to source, seems to be a well =20= know (so to speak) thing: policy based routing: = http://en.wikipedia.org/wiki/Policy-based_routing=20 that, apart from ipfw fwd (for ipv4) is supported (more finely) by =20 linux (with some bugs) and Cisco IOS (with more than some bugs I =20 suppose...) So, since you have a cisco somewhere, go and read: = http://www.cisco.com/en/US/docs/ios/12_0/qos/configuration/guide/qcpolicy.= html towards the end there is even a specific example for "ow to route =20 traffic from different sources to different places (next hops)" Thank you for making me look for this info, as I had already to patch =20= macosx ipfw (the kernel really), to make fwd functional, but with this =20= I will be able to do it in the cisco router, and leave the kernel =20 alone... Giuliano= From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 2 12:09:09 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 67F821065673 for ; Thu, 2 Apr 2009 12:09:09 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) Received: from contactlab34-bk-3.contactlab.it (contactlab34-bk-3.contactlab.it [93.94.34.3]) by mx1.freebsd.org (Postfix) with ESMTP id E6F2E8FC14 for ; Thu, 2 Apr 2009 12:09:08 +0000 (UTC) (envelope-from p.pisati@oltrelinux.com) DKIM-Signature: v=1; a=rsa-sha1; d=contactlab.it; s=s768; c=simple/simple; q=dns/txt; i=@contactlab.it; t=1238674143; h=From:Subject:Date:To:MIME-Version:Content-Type; bh=NjkZmCd1b7xBq0uAqVV8ahvNg5g=; b=CRFK4Ka9zbge3R2Ve9xtzBG4EbQjRvglO3q3Qob4D3cOaUvVYtWdFxASSjkJ7+/j MKfNo5+xoBk0usSLpOsaW0+fdrRP2Q2YoLgO6mOeF1rSkzi70klPpptuSbzCVi54; Received: from [213.92.0.53] ([213.92.0.53:54825] helo=mail0.tomato.it) by vmta3.contactlab.it (envelope-from ) (ecelerity 2.2.2.37 r(28822M)) with ESMTP id 83/9E-11151-FDAA4D94; Thu, 02 Apr 2009 14:09:03 +0200 Received: from ferret.tomato.lan (fast.tomato.it [62.101.64.91]) by mail0.tomato.it (Postfix) with ESMTP id 9742A2845A; Thu, 2 Apr 2009 14:09:25 +0200 (CEST) Message-ID: <49D4AADC.30900@oltrelinux.com> Date: Thu, 02 Apr 2009 14:09:00 +0200 From: Paolo Pisati User-Agent: Thunderbird 2.0.0.19 (X11/20090226) MIME-Version: 1.0 To: Luigi Rizzo References: <200903132246.49159.dima_bsd@inbox.lv> <20090313214327.GA1675@onelab2.iet.unipi.it> <49BF61E7.7020305@FreeBSD.org> <49BFB9B2.9090909@oltrelinux.com> <20090317190123.GB89417@onelab2.iet.unipi.it> <49C01E08.9050709@oltrelinux.com> <20090317223511.GB95451@onelab2.iet.unipi.it> <49D49AEB.20701@oltrelinux.com> <20090402113231.GB6577@onelab2.iet.unipi.it> In-Reply-To: <20090402113231.GB6577@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org, Dmitriy Demidov , Alex Dupre Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 12:09:09 -0000 Luigi Rizzo wrote: > Can you put a description in the manpage especially on the > assumptions and side effects of the reass option ? > > E.g. as i read it, > + you need to make sure that the fragments are not dropped before > the 'reass' (so you cannot rely on port numbers to decide > accept or deny). This is obvious but a very common mistake; > + reass silently queues the fragment if it does not reass, so it > opens up a bit of vulnerability. Again obvious, but people > won't realise if they don't see the code. > someone else already pointed out that i should mention net.inet.ip.maxfrag*, i'll come up with an updated man page later today. -- bye, P. From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 3 18:17:04 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B88C10656C1 for ; Fri, 3 Apr 2009 18:17:04 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from smtp6.apollo.lv (smtp6.apollo.lv [80.232.168.167]) by mx1.freebsd.org (Postfix) with ESMTP id 42E6F8FC12 for ; Fri, 3 Apr 2009 18:17:04 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from [78.84.219.6] (unknown [78.84.219.6]) by smtp6.apollo.lv (Postfix) with ESMTP id DF6B8201D5; Fri, 3 Apr 2009 21:17:20 +0300 (EEST) From: Dmitriy Demidov To: Paolo Pisati Date: Fri, 3 Apr 2009 21:16:52 +0300 User-Agent: KMail/1.9.10 References: <200903132246.49159.dima_bsd@inbox.lv> <20090317223511.GB95451@onelab2.iet.unipi.it> <49D49AEB.20701@oltrelinux.com> In-Reply-To: <49D49AEB.20701@oltrelinux.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200904032116.52684.dima_bsd@inbox.lv> X-Lattelecom-MailScanner-Information: Please contact the ISP for more information X-Lattelecom-MailScanner-ID: DF6B8201D5.42F63 X-Lattelecom-MailScanner: Found to be clean X-Lattelecom-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.901, required 5, BAYES_00 -2.60, RCVD_IN_PBL 0.91, RDNS_NONE 0.10, SPF_FAIL 0.69) X-Lattelecom-MailScanner-From: dima_bsd@inbox.lv X-Spam-Status: No Cc: freebsd-ipfw@freebsd.org Subject: Re: keep-state rules inadequately handles big UDP packets or fragmented IP packets? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2009 18:17:05 -0000 On Thursday 02 April 2009, Paolo Pisati wrote: > Luigi Rizzo wrote: > > Ok then we may have a plan: > > > > you could do is implement REASS as an action (not as a microinstruction), > > with the following behaviour: > > > > - if the packet is a complete one, the rule behaves as a "count" > > (i.e. the firewall continues with the next rule); > > > > - if the packet is a fragment and can be reassembled, the rule > > behaves as a "count" and the mbuf is replaced with the full packet; > > > > - if the packet is a fragment and cannot be reassembled, the > > rule behaves as a "drop" (i.e. processing stops) > > and the packet is swallowed by ipfw. > > > > This seems a useful behaviour, but it must be documented very > > clearly because it is not completely intuitive. Perhaps we should > > find a more descriptive name. > > committed yesterday in HEAD as "reass" action, and here is the 7.x > patch: http://people.freebsd.org/~piso/ipfw-reass-7x.diff Hi Paolo. Thank you for this work! I think it is a good feature that will makes ipfw more clear and extends it's usability for future use. Hey, you deserve a reward for this work! Do you remember about 500WMZ bounty? Please, if you wanna to get it - contact with me outside of this list. Or I will transfer this money as a donation into FreeBSD Foundation :) Good luck!