From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 4 10:45:30 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10F69106567B for ; Sun, 4 Apr 2010 10:45:30 +0000 (UTC) (envelope-from asstec@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.153.48.3]) by mx1.freebsd.org (Postfix) with ESMTP id 6170A8FC1E for ; Sun, 4 Apr 2010 10:45:28 +0000 (UTC) Received: from msrv.matik.com.br (localhost.matik.com.br [127.0.0.1]) by msrv.matik.com.br (8.14.4/8.14.2) with ESMTP id o34AjTHv078274 for ; Sun, 4 Apr 2010 07:45:29 -0300 (BRT) (envelope-from asstec@matik.com.br) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.95.3 at msrv.matik.com.br DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=matik.com.br; s=racoon; t=1270377929; bh=d4yeK4c1ZkSHGraKSUH7rzJPjuLrCqR7AqnrjxyLwYQ=; h=Message-ID:In-Reply-To:References:Date:Subject:From:To: MIME-Version:Content-Type:Content-Transfer-Encoding; b=PxMXLzCq9wbaonjDL6yQxS3x8w+bn/6TwkAeDVZsP4YihZg7SjtFX7N6OK6Q45m7T zdCyp4HxM6iy8UW3Q2693j3/oPoXqQoRErU0Dtr+oZnVz92Bn2nnRN8C453ma8xa8J ZylP3WaRqip59/juM0qbsxcHt/Slye6Y6wr0LrAM= DomainKey-Signature: a=rsa-sha1; s=default; d=matik.com.br; c=nofws; q=dns; h=received:x-authentication-warning:received:message-id: in-reply-to:references:date:subject:from:to:user-agent:mime-version: content-type:content-transfer-encoding:x-priority:importance; b=gSFNfpptal5klNUYj/+VIFahqfLOhW95cuymiS3BOGjc29aynu/Xd8nOtes1bFYoe jLhFSydC1VPyt7LE/u07F7CTP+pu4I8ZcC2lR/YKxAyPIpw+jNE4PhQDmFlWgV9Df9U iW1KGn2Z1HEnLOx8ugr0VE1bT6hl5bRqaZVk4U0= Received: (from www@localhost) by msrv.matik.com.br (8.14.4/8.14.4/Submit) id o34AjOA2078269; Sun, 4 Apr 2010 07:45:24 -0300 (BRT) (envelope-from asstec@matik.com.br) X-Authentication-Warning: msrv.matik.com.br: www set sender to asstec@matik.com.br using -f Received: from 187.42.222.1 (SquirrelMail authenticated user asstec) by wm.matik.com.br with HTTP; Sun, 4 Apr 2010 07:45:24 -0300 Message-ID: In-Reply-To: <20100401125929.GA66321@onelab2.iet.unipi.it> References: <4BB24C86.3030709@hardonline.com.br> <20100331020943.GA47928@onelab2.iet.unipi.it> <20100331164302.GA55699@korolev-net.ru> <20100331170221.GB55010@onelab2.iet.unipi.it> <20100401002014.GA57424@onelab2.iet.unipi.it> <20100401125929.GA66321@onelab2.iet.unipi.it> Date: Sun, 4 Apr 2010 07:45:24 -0300 From: "Ass.Tec. Matik" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.20 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: workaround for ipfw problem freebsd 8-S after mar-21 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Apr 2010 10:45:30 -0000 since this actually also is invalid ipfw add 65535 deny proto ip ipfw: getsockopt(IP_FW_ADD): Invalid argument you need to ipfw add 65534 deny proto ip 65534 deny ip from any to any this is a temp workaround if you have problems with ipfw which actually inserts this two bad rules at the end, independent on what your rules do: 00100 12 728 allow ip from any to any via lo0 00000 0 0 ip from any to any edit your firewall script and add directly after the flush command, depending on your default, if your default setup is to deny: ipfw add 65534 deny proto ip else ipfw add 65534 pass proto ip but before _any_ of your rules if you do not need this rule you can add at the end of your rules: ipfw delete 65534 depending on your ruleset you might get rid of the "ouch" wining (irrelevant) but important is that your firewall comes up and will work fine as before Joćo Martins Eng.Resp.Helpdesk e Suporte Matik https://suporte.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 10:03:36 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 928C1106566B for ; Mon, 5 Apr 2010 10:03:36 +0000 (UTC) (envelope-from ptyll@nitronet.pl) Received: from web.nitronet.pl (web.nitronet.pl [195.90.106.5]) by mx1.freebsd.org (Postfix) with ESMTP id 5392B8FC0C for ; Mon, 5 Apr 2010 10:03:36 +0000 (UTC) Received: from mailnull by web.nitronet.pl with virscan (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Nyinx-00091t-DA for freebsd-ipfw@freebsd.org; Mon, 05 Apr 2010 11:41:13 +0200 Date: Mon, 5 Apr 2010 11:41:12 +0200 From: Pawel Tyll X-Priority: 3 (Normal) Message-ID: <1298035093.20100405114112@nitronet.pl> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: Nitronet.pl X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: ptyll@nitronet.pl X-SA-Exim-Scanned: No (on web.nitronet.pl); SAEximRunCond expanded to false Subject: rule 00000. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 10:03:36 -0000 Unfortunately FreeBSD 8.0-STABLE #0: Mon Apr 5 08:43:58 CEST 2010 still has problems. ipfw show: (...) 65534 44262253 27617819701 allow ip from any to any 00001 5335 405460 allow ip from me to any dst-port 123 00000 0 0 ip from any to any Anything I can do to help? From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 11:07:03 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E47F21065673 for ; Mon, 5 Apr 2010 11:07:03 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D332B8FC1A for ; Mon, 5 Apr 2010 11:07:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o35B73LS027843 for ; Mon, 5 Apr 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o35B73k6027841 for freebsd-ipfw@FreeBSD.org; Mon, 5 Apr 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 5 Apr 2010 11:07:03 GMT Message-Id: <201004051107.o35B73k6027841@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2010 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 69 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 6 19:35:45 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0AF2F1065675 for ; Tue, 6 Apr 2010 19:35:45 +0000 (UTC) (envelope-from alonasdbeckgxf@hotmail.com) Received: from blu0-omc1-s15.blu0.hotmail.com (blu0-omc1-s15.blu0.hotmail.com [65.55.116.26]) by mx1.freebsd.org (Postfix) with ESMTP id CA9918FC12 for ; Tue, 6 Apr 2010 19:35:44 +0000 (UTC) Received: from BLU141-DS13 ([65.55.116.7]) by blu0-omc1-s15.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 6 Apr 2010 12:23:43 -0700 X-Originating-IP: [86.107.100.79] X-Originating-Email: [alonasdbeckgxf@hotmail.com] Message-ID: From: Jefferson, Macon G. To: Date: Tue, 06 Apr 2010 23:21:32 +0400 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8064.206 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8064.206 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: binary X-OriginalArrivalTime: 06 Apr 2010 19:23:43.0182 (UTC) FILETIME=[AB884EE0:01CAD5BE] Subject: High yield Opportunity of the year. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 19:35:45 -0000 Greetings freebsd-ipfw@freebsd.org, I would like to inform you about a very professional program I participate in since half a year. I made 510% profit by now. This is a Hong Kong traders company, working on stock, derivatives, and Forex markets. Their performance is very consistent, they make up to 3% daily and the company pays its members up to 2.5% each day. HYt fund is really transparent, showing their trading results and offering phone, chat, and email support to its members. I am sure they are the company to work with in 2010. Check them out: http://texugauto.com/93bbjaqm From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 7 04:44:56 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7974106564A for ; Wed, 7 Apr 2010 04:44:56 +0000 (UTC) (envelope-from ptyll@nitronet.pl) Received: from web.nitronet.pl (web.nitronet.pl [195.90.106.5]) by mx1.freebsd.org (Postfix) with ESMTP id A575C8FC0C for ; Wed, 7 Apr 2010 04:44:56 +0000 (UTC) Received: from mailnull by web.nitronet.pl with virscan (Exim 4.69 (FreeBSD)) (envelope-from ) id 1NzN8J-000Pf4-3u for freebsd-ipfw@freebsd.org; Wed, 07 Apr 2010 06:44:55 +0200 Date: Wed, 7 Apr 2010 06:44:52 +0200 From: Pawel Tyll X-Priority: 3 (Normal) Message-ID: <183273017.20100407064452@nitronet.pl> To: "Erich Jenkins, Fuujin Group Ltd" In-Reply-To: <4BBC19B0.8060304@fuujingroup.com> References: <1298035093.20100405114112@nitronet.pl> <4BBC19B0.8060304@fuujingroup.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: Nitronet.pl X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: ptyll@nitronet.pl X-SA-Exim-Scanned: No (on web.nitronet.pl); SAEximRunCond expanded to false Cc: freebsd-ipfw@freebsd.org Subject: Re: rule 00000. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 04:44:57 -0000 Hi, > the last thing I want is to lock myself out and have to dispatch a > technician... There's always a risk ;) > Is this problem localized to any particular architecture? (we have=20 > sparc64, amd64 and i386 servers deployed). Is this just the stable=20 > branch that's affected, or was this bug also in the ISO release? (I=20 > deploy via NFS/FTP/bootp from internal servers hosting the ISO images). It was recently introduced, so you're safe with release. To my knowledge, it only affects stable. I'm only using AMD64. Cheers. From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 7 04:54:34 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B11D5106564A for ; Wed, 7 Apr 2010 04:54:34 +0000 (UTC) (envelope-from erich@fuujingroup.com) Received: from fluorine.fuujinnetworks.com (fluorine.fuujinnetworks.com [64.90.67.234]) by mx1.freebsd.org (Postfix) with ESMTP id 8CBAF8FC18 for ; Wed, 7 Apr 2010 04:54:34 +0000 (UTC) Received: from [10.168.1.8] (copper.fuujinnetworks.com [64.90.67.254]) by fluorine.fuujinnetworks.com (Postfix) with ESMTPA id 7324D439E38; Tue, 6 Apr 2010 23:36:21 -0500 (CDT) Message-ID: <4BBC19B0.8060304@fuujingroup.com> Date: Tue, 06 Apr 2010 23:35:44 -0600 From: "Erich Jenkins, Fuujin Group Ltd" User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Pawel Tyll References: <1298035093.20100405114112@nitronet.pl> In-Reply-To: <1298035093.20100405114112@nitronet.pl> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: rule 00000. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 04:54:34 -0000 Pawel Tyll wrote: > Unfortunately FreeBSD 8.0-STABLE #0: Mon Apr 5 08:43:58 CEST 2010 > still has problems. > > ipfw show: > (...) > 65534 44262253 27617819701 allow ip from any to any > 00001 5335 405460 allow ip from me to any dst-port 123 > 00000 0 0 ip from any to any > > Anything I can do to help? > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" Pawel: My skin crawled the moment I read this post. Could you provide a bit more information about this issue? I manage a very large deployment of FreeBSD boxes which are geographically dispersed, and we've started upgrading them to the 8.0 release. My default policy is to deny everything but the services running, so I generally end with a "deny all" statement, and the last thing I want is to lock myself out and have to dispatch a technician... Is this problem localized to any particular architecture? (we have sparc64, amd64 and i386 servers deployed). Is this just the stable branch that's affected, or was this bug also in the ISO release? (I deploy via NFS/FTP/bootp from internal servers hosting the ISO images). Erich M. Jenkins Fuujin Group Limited "You should never, never doubt what no one is sure about." -- Gene Wilder From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 7 15:10:35 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 871EB1065670 for ; Wed, 7 Apr 2010 15:10:35 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-iw0-f171.google.com (mail-iw0-f171.google.com [209.85.223.171]) by mx1.freebsd.org (Postfix) with ESMTP id 4E7258FC0A for ; Wed, 7 Apr 2010 15:10:35 +0000 (UTC) Received: by iwn1 with SMTP id 1so601853iwn.27 for ; Wed, 07 Apr 2010 08:10:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:content-type; bh=YJjqucwhjrdOV4BOkXmud2MncK4ug6x4fM9Bl62sXks=; b=Zqw7/QDQeV+CpqYH7wXIKjuIm5cMrXCWJKcCE/CiH/oHxyyz+hdcgX6oc+zKP+eZUG XYcd9oLxHJc/nZ5jr3Ng0Y3u7ctBZXZG+SpcqxKy/sZ1hGGWDMu1n38aJFhRh0UtiXg/ 4Qdk1UBiq2If9SsFuap5QtWOPPYhCS7CZXvWk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=wwkOFT19bIKVnqPwVuTweVBsdyAn0HwOknHYn2pdnSweDBoX6c1YQ2eN+nwI8z++9Y ndG8hg51S+q8ceM65udOQXZkuKscmJzzuCQ0JbtVZUe7uJtKAgRy/GcAHPMTosbQ2AcI yhO81DnlI97tFHw7nMn15n5wjX80ZnM9UYUa8= MIME-Version: 1.0 Received: by 10.231.14.76 with HTTP; Wed, 7 Apr 2010 08:10:34 -0700 (PDT) In-Reply-To: <4BBC19B0.8060304@fuujingroup.com> References: <1298035093.20100405114112@nitronet.pl> <4BBC19B0.8060304@fuujingroup.com> Date: Wed, 7 Apr 2010 08:10:34 -0700 Received: by 10.231.158.202 with SMTP id g10mr4123413ibx.43.1270653034308; Wed, 07 Apr 2010 08:10:34 -0700 (PDT) Message-ID: From: Freddie Cash To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: rule 00000. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 15:10:35 -0000 2010/4/6 Erich Jenkins, Fuujin Group Ltd > Pawel Tyll wrote: > >> Unfortunately FreeBSD 8.0-STABLE #0: Mon Apr 5 08:43:58 CEST 2010 >> still has problems. >> >> ipfw show: >> (...) >> 65534 44262253 27617819701 allow ip from any to any >> 00001 5335 405460 allow ip from me to any dst-port 123 >> 00000 0 0 ip from any to any >> >> Anything I can do to help? >> > > Pawel: > > My skin crawled the moment I read this post. Could you provide a bit more > information about this issue? I manage a very large deployment of FreeBSD > boxes which are geographically dispersed, and we've started upgrading them > to the 8.0 release. My default policy is to deny everything but the services > running, so I generally end with a "deny all" statement, and the last thing > I want is to lock myself out and have to dispatch a technician... > > Is this problem localized to any particular architecture? (we have sparc64, > amd64 and i386 servers deployed). Is this just the stable branch that's > affected, or was this bug also in the ISO release? (I deploy via > NFS/FTP/bootp from internal servers hosting the ISO images). > > If you read the archives of this list, you'll find that this issue only applies to 8-STABLE after the 8.0 release. Thus, if you upgrade to 8.0-RELEASE, you will not run into this problem. Luigi is doing a bunch of cleanups, refactoring, and updates to the ipfw code in 8-STABLE/9-CURRENT. Things are a bit unstable right now, but getting better with each passing day. IOW, nothing to worry about unless you have plans to upgrade to 8-STABLE. :) -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 7 18:00:39 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23B681065675 for ; Wed, 7 Apr 2010 18:00:39 +0000 (UTC) (envelope-from julianelischer@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id 9DC518FC12 for ; Wed, 7 Apr 2010 18:00:38 +0000 (UTC) Received: by bwz8 with SMTP id 8so1144594bwz.3 for ; Wed, 07 Apr 2010 11:00:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=g/3b748ZIyM+QZ82v363EbYjBxyIW7ZI9Xu8zRPhBjI=; b=SaAK1y+xbj/ooVOiKRbwuUD3Hl7VkuCby/juAr1wwRCxS8JMuUl2ifxg2d4HvAHUXk cWk8H05JAngcory08Vix469Msd7pEFB/vmROsTL+H0QAsvdcqQy/lGAUW/5pPdiP6Wh2 ktRNlj5PtCKwQtFnilRbviLBMlX6GRA97LRDQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=fTgLA+IBe8wxw9okfMYa7qaN5ukic+oYr/nasG5IdRHHh6diFgjP6YV6u9L1mxUULl a8NK+vtL7DOFf+CJ8H6T/A5NTesK7N9qiUDAGpg70xlH0MEW37xItJ/hMIgSOYRLLk8+ hTA0v8P9yre1J7A3ACIshNPyIdImQCMyccJFI= Received: by 10.204.150.77 with SMTP id x13mr1946764bkv.19.1270661830372; Wed, 07 Apr 2010 10:37:10 -0700 (PDT) Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by mx.google.com with ESMTPS id x16sm124564081bku.23.2010.04.07.10.37.07 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 07 Apr 2010 10:37:09 -0700 (PDT) Sender: Julian Elischer Message-ID: <4BBCC2BE.6030601@elischer.org> Date: Wed, 07 Apr 2010 10:37:02 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Freddie Cash References: <1298035093.20100405114112@nitronet.pl> <4BBC19B0.8060304@fuujingroup.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: rule 00000. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 18:00:39 -0000 On 4/7/10 8:10 AM, Freddie Cash wrote: > 2010/4/6 Erich Jenkins, Fuujin Group Ltd >> >> If you read the archives of this list, you'll find that this issue only > applies to 8-STABLE after the 8.0 release. Thus, if you upgrade to > 8.0-RELEASE, you will not run into this problem. > > Luigi is doing a bunch of cleanups, refactoring, and updates to the ipfw > code in 8-STABLE/9-CURRENT. Things are a bit unstable right now, but > getting better with each passing day. > > IOW, nothing to worry about unless you have plans to upgrade to 8-STABLE. and that should be ok too as it was fixed there. > :) > From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 7 20:16:44 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14976106564A for ; Wed, 7 Apr 2010 20:16:44 +0000 (UTC) (envelope-from anders.hagman@halleforshunden.org) Received: from mailfront1.netatonce.net (mailfront1.netatonce.net [217.10.96.36]) by mx1.freebsd.org (Postfix) with ESMTP id BA12F8FC16 for ; Wed, 7 Apr 2010 20:16:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mailfront1.netatonce.net (Postfix) with ESMTP id 6F840601A0 for ; Wed, 7 Apr 2010 21:54:57 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mailfront1.netatonce.net X-Spam-Flag: NO X-Spam-Score: -1.593 X-Spam-Level: X-Spam-Status: No, score=-1.593 required=5 tests=[AWL=0.906, BAYES_00=-2.599, RDNS_DYNAMIC=0.1] Received: from mailfront1.netatonce.net ([127.0.0.1]) by localhost (mailfront1.netatonce.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khWwprDj633c for ; Wed, 7 Apr 2010 21:54:55 +0200 (CEST) Received: from ns.halleforshunden.org (user55.85-195-9.netatonce.net [85.195.9.55]) by mailfront1.netatonce.net (Postfix) with ESMTPS for ; Wed, 7 Apr 2010 21:54:55 +0200 (CEST) Received: from dator6.halleforshunden.org (dator6 [10.1.10.6]) by ns.halleforshunden.org (8.13.3/8.13.3) with ESMTP id o37Jwhrw060232 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 7 Apr 2010 21:58:43 +0200 (CEST) (envelope-from anders.hagman@halleforshunden.org) Received: from anders-dell.halleforshunden.org (anders-dell.halleforshunden.org [10.1.10.27]) by dator6.halleforshunden.org (8.14.2/8.14.2) with ESMTP id o37Jwc0h068479 for ; Wed, 7 Apr 2010 21:58:38 +0200 (CEST) (envelope-from anders.hagman@halleforshunden.org) Message-ID: <4BBCE3EE.506@halleforshunden.org> Date: Wed, 07 Apr 2010 21:58:38 +0200 From: Anders Hagman User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; sv-SE; rv:1.9.1.7) Gecko/20100215 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: dummynet and vnet kernel panic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 20:16:44 -0000 Hi When using dummynet inside a vnet node with a simple pipe the kernel panic on the first packet. I use 8.0-STABLE cvsuped at 7 Apr 15:28 The ipfw code with dummynet is largely changed and the patch in the url below will not work. http://www.freebsd.org/cgi/query-pr.cgi?pr=143621 Is there a fix in the near future? BR /Anders H From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 7 20:27:47 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C36A51065670 for ; Wed, 7 Apr 2010 20:27:47 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 881A08FC16 for ; Wed, 7 Apr 2010 20:27:47 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 919D873098; Wed, 7 Apr 2010 22:38:02 +0200 (CEST) Date: Wed, 7 Apr 2010 22:38:02 +0200 From: Luigi Rizzo To: Anders Hagman Message-ID: <20100407203802.GA91356@onelab2.iet.unipi.it> References: <4BBCE3EE.506@halleforshunden.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4BBCE3EE.506@halleforshunden.org> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet and vnet kernel panic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 20:27:47 -0000 On Wed, Apr 07, 2010 at 09:58:38PM +0200, Anders Hagman wrote: > Hi > > When using dummynet inside a vnet node with a simple pipe the kernel > panic on the first packet. > > I use 8.0-STABLE cvsuped at 7 Apr 15:28 > The ipfw code with dummynet is largely changed and the patch in the url > below will not work. > http://www.freebsd.org/cgi/query-pr.cgi?pr=143621 > > Is there a fix in the near future? haven't tried it myself, but adapting the patch seems reasonably trivial. I'll see what i can do. Are there any vnet experts who can comment ? cheers luigi > BR > /Anders H > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 7 20:56:39 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EBC3106564A for ; Wed, 7 Apr 2010 20:56:39 +0000 (UTC) (envelope-from julianelischer@gmail.com) Received: from mail-bw0-f216.google.com (mail-bw0-f216.google.com [209.85.218.216]) by mx1.freebsd.org (Postfix) with ESMTP id 873218FC14 for ; Wed, 7 Apr 2010 20:56:38 +0000 (UTC) Received: by mail-bw0-f216.google.com with SMTP id 8so1296874bwz.3 for ; Wed, 07 Apr 2010 13:56:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=6i7p5B/0L+KPvYi98d2TQpt9lIgtUxW2YvwiwMhCCGY=; b=n7nsK3Fg8Wuf9loVxuyhHa73uOf4pmQeXG23TYWENdtKGmKwUWNBy42DBXbYkF+bWm CPfamRH/7PLfKndgBelTwscUN3OYghxpvbhuuKT8en2zf8WWmjQ+1JAv3nNgkiNk3BnF P94zEhcmfiVjj0yPdEqo4r0Efu3hyC3gKyrBc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; b=pZf0wRmLGcHVjmzs4+J6PcSjT2aORW3gTM2VeW/t48z6hDTR3dv2CBl38eIEQsZOW2 GmoBx6vWXvYzz+2HMYnGHDXZ1fgpJ5MzDd6lRSiu9byWNANlDG/WhbSZEu5t039OgK+L 2s9MF7ejReRo5bynXMkewQgL5s+6J/BgenKgw= Received: by 10.204.33.206 with SMTP id i14mr3374200bkd.52.1270673797867; Wed, 07 Apr 2010 13:56:37 -0700 (PDT) Received: from julian-mac.elischer.org (h-67-100-89-137.snfccasy.static.covad.net [67.100.89.137]) by mx.google.com with ESMTPS id a11sm125820670bkc.3.2010.04.07.13.56.35 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 07 Apr 2010 13:56:37 -0700 (PDT) Sender: Julian Elischer Message-ID: <4BBCF17F.4000408@elischer.org> Date: Wed, 07 Apr 2010 13:56:31 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4 MIME-Version: 1.0 To: Luigi Rizzo References: <4BBCE3EE.506@halleforshunden.org> <20100407203802.GA91356@onelab2.iet.unipi.it> In-Reply-To: <20100407203802.GA91356@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Anders Hagman Subject: Re: dummynet and vnet kernel panic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2010 20:56:39 -0000 On 4/7/10 1:38 PM, Luigi Rizzo wrote: > On Wed, Apr 07, 2010 at 09:58:38PM +0200, Anders Hagman wrote: >> Hi >> >> When using dummynet inside a vnet node with a simple pipe the kernel >> panic on the first packet. >> >> I use 8.0-STABLE cvsuped at 7 Apr 15:28 >> The ipfw code with dummynet is largely changed and the patch in the url >> below will not work. >> http://www.freebsd.org/cgi/query-pr.cgi?pr=143621 >> >> Is there a fix in the near future? > > haven't tried it myself, but adapting the patch seems > reasonably trivial. I'll see what i can do. > > Are there any vnet experts who can comment ? the change itself looks as if it makes sense but I have not really tested it or gone to great length. ----------- the following URL gives you the change that was made to make the OLD version of dummynet Vimage compatible. http://p4db.freebsd.org/fileLogView.cgi?FSPC=//depot/projects/vimage/src/sys/netinet/ipfw/ip_dummynet.c does this still apply to 8.x? or did you redo the dummynet in 8? if you didn't it may be worth looking to see if these changes apply to 8.x real soon before it's frozen. > > cheers > luigi > >> BR >> /Anders H >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 8 16:35:37 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCDF61065680 for ; Thu, 8 Apr 2010 16:35:37 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9F0E68FC19 for ; Thu, 8 Apr 2010 16:35:37 +0000 (UTC) Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) by smtp02.lnh.mail.rcn.net with ESMTP; 08 Apr 2010 12:35:37 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr02.lnh.mail.rcn.net (MOS 3.10.8-GA) with ESMTP id QPX63212; Thu, 8 Apr 2010 12:35:36 -0400 (EDT) Received: from 209-6-91-204.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.91.204]) by smtp01.lnh.mail.rcn.net with ESMTP; 08 Apr 2010 12:35:35 -0400 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19390.1494.857240.45869@jerusalem.litteratus.org> Date: Thu, 8 Apr 2010 12:35:34 -0400 To: ipfw@freebsd.org In-Reply-To: References: <201004080252.o382qFH7019790@leka.aloha.com> <19389.23404.649946.265403@jerusalem.litteratus.org> <19389.51130.108457.400747@jerusalem.litteratus.org> X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr02.lnh.mail.rcn.net) Cc: Subject: Re: Kernel Config for NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2010 16:35:37 -0000 I am planning to a) update a -CURRENT system to recent code, and b) install ipfw+NAT. The documentation in the Handbook is confusing and/or incomplete. So far I have: 1) in /boot/loader.conf: ipfw_load="YES" ipdivert_load="YES" 2) in the kernel config: #options IPFIREWALL #firewall #options IPFIREWALL_VERBOSE #enable logging to syslogd(8) #options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity #options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default #options IPDIVERT #options IPFIREWALL_NAT #ipfw kernel nat support options LIBALIAS # required for NAT 3) in /etc/sysctl.conf: net.inet.ip.fw.default_to_accept="1" net.inet.ip.fw.verbose="1" net.inet.ip.fw.verbose_limit="100 Is there anything else I need? (Assume I have a working set of firewall rules.) Is there anything I need to take out? Respectfully, Robert Huff From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 07:57:26 2010 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8DD79106566C for ; Fri, 9 Apr 2010 07:57:26 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from mail-fx0-f225.google.com (mail-fx0-f225.google.com [209.85.220.225]) by mx1.freebsd.org (Postfix) with ESMTP id 1E4B48FC1A for ; Fri, 9 Apr 2010 07:57:25 +0000 (UTC) Received: by fxm25 with SMTP id 25so528428fxm.3 for ; Fri, 09 Apr 2010 00:57:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:received:message-id:subject:to:content-type :content-transfer-encoding; bh=GobHr3CbEibt6oNsoOejI73/I9Rwyyy9KTO0x+JMNps=; b=I8MEY0VizxwcamkzipAbJny/rfHj3+R0GIS/bcGMyNwmUe6IYAekgyNdm+H1HM/vyn NYDYzrVR5acbOVPnq+AF3+zGrQleYk5tDlMm+SyT1m2NaW4F24jyc+e+zlYa9o00SWgZ ErY/5gF0iXXjcPRnkQsyMM+h0By/CYWzCcTwM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=xePTbS5cxkDQrIg9NCgc3HW1LtfZH7Sg+uNF6tVfBLxxj5SzVk2DJmAERnOMlQ4Ocj ubwAwzbTwLJSxs1I2C7fpKUc9rK56CawhUL/oirDw3P9Lb1gBikG34jtdvA7+EnaTwwt HvByxs4/1SeVeGFlpM3ZEVPx2Z61Tn9eBxBzs= MIME-Version: 1.0 Received: by 10.103.238.6 with HTTP; Fri, 9 Apr 2010 00:26:01 -0700 (PDT) In-Reply-To: References: <201004080252.o382qFH7019790@leka.aloha.com> <19389.23404.649946.265403@jerusalem.litteratus.org> <19389.51130.108457.400747@jerusalem.litteratus.org> From: n j Date: Fri, 9 Apr 2010 09:26:01 +0200 Received: by 10.102.211.40 with SMTP id j40mr666557mug.69.1270797981133; Fri, 09 Apr 2010 00:26:21 -0700 (PDT) Message-ID: To: ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Kernel Config for NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 07:57:26 -0000 > That's actually a good question considering the lack of documentation. = =A0If > that works then great, but one wonders what the ipfw_nat modules is for? > looks like it's tied into libalias apparently a replacement for natd. Here's my kernel configuration: [--snip--] options IPFIREWALL # enable ipfw firewall options IPDIVERT # for divert funcionality - not really required options IPFIREWALL_FORWARD # for ipfw forward functionality options IPFIREWALL_NAT # for in-kernel nat options LIBALIAS # req'd by ipfirewall_nat [--snip--] If I'm to trust the comment I wrote quite a while ago, IPDIVERT is not necessary. Also, IPFIREWALL_FORWARD is not really needed for NAT, this is specific to my setup. So, basically that leaves IPFIREWALL, IPFIREWALL_NAT and LIBALIAS as the necessary tweaks in kernel conf for NAT to work. Note, this configuration enables the in-kernel NAT which is (relatively) recent addition to FreeBSD. You turn it on like this: ipfw nat 123 config ip 192.168.0.123 log ipfw add nat 123 all from any to any In my experience, it works pretty well and I consider it a big improvement over running natd and diverting packets to it. Regards, --=20 Nino From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 08:45:24 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CCD51065670 for ; Fri, 9 Apr 2010 08:45:24 +0000 (UTC) (envelope-from anders.hagman@halleforshunden.org) Received: from mailfront1.netatonce.net (mailfront1.netatonce.net [217.10.96.36]) by mx1.freebsd.org (Postfix) with ESMTP id C1E6A8FC14 for ; Fri, 9 Apr 2010 08:45:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mailfront1.netatonce.net (Postfix) with ESMTP id 8F65D605CB for ; Fri, 9 Apr 2010 10:41:30 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mailfront1.netatonce.net X-Spam-Flag: NO X-Spam-Score: -1.075 X-Spam-Level: X-Spam-Status: No, score=-1.075 required=5 tests=[AWL=-0.065, BAYES_05=-1.11, RDNS_DYNAMIC=0.1] Received: from mailfront1.netatonce.net ([127.0.0.1]) by localhost (mailfront1.netatonce.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tosO5Pod1sBn for ; Fri, 9 Apr 2010 10:41:24 +0200 (CEST) Received: from ns.halleforshunden.org (user55.85-195-9.netatonce.net [85.195.9.55]) by mailfront1.netatonce.net (Postfix) with ESMTPS for ; Fri, 9 Apr 2010 10:41:23 +0200 (CEST) Received: from dator6.halleforshunden.org (dator6 [10.1.10.6]) by ns.halleforshunden.org (8.13.3/8.13.3) with ESMTP id o398jCOm062819 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 9 Apr 2010 10:45:13 +0200 (CEST) (envelope-from anders.hagman@halleforshunden.org) Received: from anders-dell.halleforshunden.org (anders-dell.halleforshunden.org [10.1.10.27]) by dator6.halleforshunden.org (8.14.2/8.14.2) with ESMTP id o398j7DR073584 for ; Fri, 9 Apr 2010 10:45:07 +0200 (CEST) (envelope-from anders.hagman@halleforshunden.org) Message-ID: <4BBEE914.8030508@halleforshunden.org> Date: Fri, 09 Apr 2010 10:45:08 +0200 From: Anders Hagman User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; sv-SE; rv:1.9.1.7) Gecko/20100215 Thunderbird/3.0.1 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <4BBCE3EE.506@halleforshunden.org> <20100407203802.GA91356@onelab2.iet.unipi.it> In-Reply-To: <20100407203802.GA91356@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: dummynet and vnet kernel panic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 08:45:24 -0000 On 2010-04-07 22:38, Luigi Rizzo wrote: > On Wed, Apr 07, 2010 at 09:58:38PM +0200, Anders Hagman wrote: > >> Hi >> >> When using dummynet inside a vnet node with a simple pipe the kernel >> panic on the first packet. >> >> I use 8.0-STABLE cvsuped at 7 Apr 15:28 >> The ipfw code with dummynet is largely changed and the patch in the url >> below will not work. >> http://www.freebsd.org/cgi/query-pr.cgi?pr=143621 >> >> Is there a fix in the near future? >> > haven't tried it myself, but adapting the patch seems > reasonably trivial. I'll see what i can do. > > Are there any vnet experts who can comment ? > Here is a small shell script to create a virtual network to test the dummynet. #!/bin/sh # Virtual network # # [H1-eth0]---[eth0-R1-eth1]---[eth0-H2] # # Create virtual nodes vimage -c H1 vimage -c H2 vimage -c R1 # Change hostnamn vimage H1 hostname H1 vimage H2 hostname H2 vimage R1 hostname R1 # Create interfaces ifconfig epair1 create ifconfig epair2 create # Move interfaces to v-nodes vimage -i H1 epair1b vimage -i H2 epair2b vimage -i R1 epair1a vimage -i R1 epair2a # Konfigurera interface vimage H1 ifconfig eth0 10.0.1.2/24 vimage H1 route add default 10.0.1.1 vimage H2 ifconfig eth0 10.0.2.2/24 vimage H2 route add default 10.0.2.1 vimage R1 ifconfig eth0 10.0.1.1/24 vimage R1 ifconfig eth1 10.0.2.1/24 # Turn on ip forwarding vimage R1 sysctl net.inet.ip.forwarding=1 # Configure firewall (the panic part) #kldload ipfw #kldload dummynet #vimage R1 ipfw pipe 1 config bw 2Mbit/s #vimage R1 ipfw add 100 pipe 1 ip from any to any #vimage H1 ipfw add permit ip from any to any #vimage H2 ipfw add permit ip from any to any /Anders From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 14:07:05 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3974B106564A for ; Fri, 9 Apr 2010 14:07:05 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id F21908FC16 for ; Fri, 9 Apr 2010 14:07:04 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 04A0373098; Fri, 9 Apr 2010 16:17:23 +0200 (CEST) Date: Fri, 9 Apr 2010 16:17:22 +0200 From: Luigi Rizzo To: Julian Elischer Message-ID: <20100409141722.GA53191@onelab2.iet.unipi.it> References: <4BBCE3EE.506@halleforshunden.org> <20100407203802.GA91356@onelab2.iet.unipi.it> <4BBCF17F.4000408@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4BBCF17F.4000408@elischer.org> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org, Anders Hagman Subject: Re: dummynet and vnet kernel panic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 14:07:05 -0000 On Wed, Apr 07, 2010 at 01:56:31PM -0700, Julian Elischer wrote: > On 4/7/10 1:38 PM, Luigi Rizzo wrote: > >On Wed, Apr 07, 2010 at 09:58:38PM +0200, Anders Hagman wrote: > >>Hi > >> > >>When using dummynet inside a vnet node with a simple pipe the kernel > >>panic on the first packet. > >> > >>I use 8.0-STABLE cvsuped at 7 Apr 15:28 > >>The ipfw code with dummynet is largely changed and the patch in the url > >>below will not work. > >>http://www.freebsd.org/cgi/query-pr.cgi?pr=143621 > >> > >>Is there a fix in the near future? > > > >haven't tried it myself, but adapting the patch seems > >reasonably trivial. I'll see what i can do. > > > >Are there any vnet experts who can comment ? > > the change itself looks as if it makes sense > but I have not really tested it or gone to great length. > > ----------- > > the following URL gives you the change that was made to make the OLD > version of dummynet Vimage compatible. > > http://p4db.freebsd.org/fileLogView.cgi?FSPC=//depot/projects/vimage/src/sys/netinet/ipfw/ip_dummynet.c Question: the change in PR 143621 just makes sure that curvnet points to something sensible while a packet is reinjected by dummynet_send(); the code in P4 does something completely different, as it remaps the global variables to the per-vimage ones, and does not seem to touch dummynet_send() at all. So how does the code in P4 make sure that curvnet is set properly ? > does this still apply to 8.x? or did you redo the dummynet in 8? > if you didn't it may be worth looking to see if these changes apply to > 8.x real soon before it's frozen. former global variables are now mostly in a single struct, dn_cfg. There are however 150 lines where the global variable is used, so I am bit scared at renaming all of these occurrences from dn_cfg to V_dn_cfg. I'd rather follow a different approach, i.e VNET_DEFINE(struct dn_cfg, _base_dn_cfg); #define dn_cfg VNET(_base_dn_cfg) would this make sense to you ? cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 18:04:09 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26AC11065676 for ; Fri, 9 Apr 2010 18:04:09 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id E21D38FC0C for ; Fri, 9 Apr 2010 18:04:08 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 58C1E73098; Fri, 9 Apr 2010 20:14:28 +0200 (CEST) Date: Fri, 9 Apr 2010 20:14:28 +0200 From: Luigi Rizzo To: Anders Hagman Message-ID: <20100409181428.GA55834@onelab2.iet.unipi.it> References: <4BBCE3EE.506@halleforshunden.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4BBCE3EE.506@halleforshunden.org> User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet and vnet kernel panic X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 18:04:09 -0000 On Wed, Apr 07, 2010 at 09:58:38PM +0200, Anders Hagman wrote: > Hi > > When using dummynet inside a vnet node with a simple pipe the kernel > panic on the first packet. > > I use 8.0-STABLE cvsuped at 7 Apr 15:28 > The ipfw code with dummynet is largely changed and the patch in the url > below will not work. > http://www.freebsd.org/cgi/query-pr.cgi?pr=143621 > > Is there a fix in the near future? URL: http://svn.freebsd.org/changeset/base/206428 Log: This commit enables partial operation of dummynet with kernels compiled with "options VIMAGE". As it is now, there is still a single instance of the pipes, and it is only usable from vnet0 (the main instance). Trying to use a pipe from a different vimage does not crash the system as it did before, but the traffic coming out from the pipe goes to the wrong place, and i still need to figure out where. Support for per-vimage pipes is almost there (just a matter of uncommenting the VNET_* definitions for dn_cfg, plus putting into the structure the remaining static variables), however i need first to figure out how init/uninit work, and also to understand where packets are ending up on exit from a pipe. In summary: vimage support for dummynet is not complete yet, but we are getting there. Modified: head/sys/netinet/ipfw/ip_dn_io.c head/sys/netinet/ipfw/ip_dn_private.h head/sys/netinet/ipfw/ip_dummynet.c > BR > /Anders H > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 9 18:10:23 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B13BA106564A for ; Fri, 9 Apr 2010 18:10:23 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 7B0D28FC15 for ; Fri, 9 Apr 2010 18:10:23 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id E976B73098; Fri, 9 Apr 2010 20:20:42 +0200 (CEST) Date: Fri, 9 Apr 2010 20:20:42 +0200 From: Luigi Rizzo To: freebsd-ipfw@freebsd.org Message-ID: <20100409182042.GB55834@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Subject: ipfw-related video on GoogleTechTalks X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 18:10:23 -0000 Just in case you are interested, Murray Stokely was very kind in organizing a talk at Google on recent ipfw and dummynet work. A recording is available on the GoogleTechTalks channel: http://www.youtube.com/watch?v=r8vBmybeKlE BTW there is plenty of interesting talks on that channel so I'd really suggest to spend some time browsing through the list. http://www.youtube.com/user/googletechtalks cheers luigi