From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 13 07:57:16 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B10C106564A; Sun, 13 Jun 2010 07:57:16 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 42B298FC1A; Sun, 13 Jun 2010 07:57:16 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5D7vGKG030551; Sun, 13 Jun 2010 07:57:16 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5D7vG4T030547; Sun, 13 Jun 2010 07:57:16 GMT (envelope-from remko) Date: Sun, 13 Jun 2010 07:57:16 GMT Message-Id: <201006130757.o5D7vG4T030547@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/147798: [ipfw]: skipto skips over the complex rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jun 2010 07:57:16 -0000 Old Synopsis: ipfw skipto skips over the complex rule New Synopsis: [ipfw]: skipto skips over the complex rule Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Sun Jun 13 07:57:02 UTC 2010 Responsible-Changed-Why: Reassign to ipfw team http://www.freebsd.org/cgi/query-pr.cgi?pr=147798 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 14 00:01:36 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B783E106567E; Mon, 14 Jun 2010 00:01:36 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 905248FC17; Mon, 14 Jun 2010 00:01:36 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5E01ahX066569; Mon, 14 Jun 2010 00:01:36 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5E01atS066565; Mon, 14 Jun 2010 00:01:36 GMT (envelope-from linimon) Date: Mon, 14 Jun 2010 00:01:36 GMT Message-Id: <201006140001.o5E01atS066565@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2010 00:01:36 -0000 Old Synopsis: ipfw dynamic rules and fwd New Synopsis: [ipfw] ipfw dynamic rules and fwd Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Jun 14 00:01:10 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=147720 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 14 11:06:53 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D1481065676 for ; Mon, 14 Jun 2010 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 54D098FC26 for ; Mon, 14 Jun 2010 11:06:53 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5EB6rIc078545 for ; Mon, 14 Jun 2010 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5EB6q23078543 for freebsd-ipfw@FreeBSD.org; Mon, 14 Jun 2010 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 14 Jun 2010 11:06:52 GMT Message-Id: <201006141106.o5EB6q23078543@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2010 11:06:53 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/147798 ipfw [ipfw]: skipto skips over the complex rule o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 73 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 17 11:51:15 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42D501065672 for ; Thu, 17 Jun 2010 11:51:15 +0000 (UTC) (envelope-from cosmic17@yandex.ru) Received: from forward14.mail.yandex.net (forward14.mail.yandex.net [95.108.130.92]) by mx1.freebsd.org (Postfix) with ESMTP id ADB818FC08 for ; Thu, 17 Jun 2010 11:51:14 +0000 (UTC) Received: from web141.yandex.ru (web141.yandex.ru [95.108.130.9]) by forward14.mail.yandex.net (Yandex) with ESMTP id 337744E50796 for ; Thu, 17 Jun 2010 15:30:46 +0400 (MSD) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1276774246; bh=fLWtzeDT97XjnTgXZAOkDHmFOdAla0NVoGX6zd0yIOM=; h=From:To:Subject:MIME-Version:Message-Id:Date: Content-Transfer-Encoding:Content-Type; b=r3ndmssPo/wgGtRJ97YKs2hKoRmWIDNMdXsp6SCQJ9QVbMEyvP26eIqT73thBaWDq obyL/13WT8z+H3mO9oDDduMjtDApppq/3oBnYKZIXoRrPaH36CjclZwMQA+5eM7NiN A5vh2ZMFHA6+O7S9KWs2PuzHW09ffCbBnhwVSvdQ= Received: from localhost (localhost.localdomain [127.0.0.1]) by web141.yandex.ru (Yandex) with ESMTP id 3038241F005C for ; Thu, 17 Jun 2010 15:30:46 +0400 (MSD) X-Yandex-Spam: 1 X-Yandex-Front: web141.yandex.ru X-Yandex-TimeMark: 1276774246 Received: from 32.100.vltele.com (32.100.vltele.com [79.174.32.100]) by mail.yandex.ru with HTTP; Thu, 17 Jun 2010 15:30:43 +0400 From: =?koi8-r?B?5M3VyMEg7snLz8zByg==?= To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-Id: <640531276774244@web141.yandex.ru> Date: Thu, 17 Jun 2010 15:30:43 +0400 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailman-Approved-At: Thu, 17 Jun 2010 12:39:15 +0000 Subject: ipfw3 pipe more than 24000Kbit/s X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jun 2010 11:51:15 -0000 Hello. We have the computer - if_bridge1. uname -a: FreeBSD 8.0-STABLE FreeBSD 8.0-STABLE #4: Thu May 13 13:08:53 MSD 2010 /usr/src/sys/amd64/compile/MYKERNEL amd64 There are only ipfw+dummynet on this computer. IPFW was updated to version 3 from Luigi Rizzo because of packet scheduling. Kernel options for ipfw are: # IPFW options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPFIREWALL_DEFAULT_TO_ACCEPT options DUMMYNET options HZ=2000 When we try to shape speed less than 24000Kbit/s - it is OK. But when we try to shape speed more than 24000Kbit/s - we have no result. /etc/rc.firewall: $IPFW pipe 27 config bw 32000Kbit/s mask dst-ip 0xffffffff $IPFW pipe 28 config bw 34000Kbit/s mask src-ip 0xffffffff ########pipe 27 $IPFW sched 27 config type QFQ mask dst-ip 0xffffff00 $IPFW queue 271 config sched 27 weight 10 $IPFW queue 272 config sched 27 weight 8 $IPFW queue 273 config sched 27 weight 4 $IPFW queue 274 config sched 27 weight 1 $IPFW add queue 271 ip from any to table\(112\) via igb0 out proto udp src-port 5060 $IPFW add queue 272 ip from any to table\(112\) via igb0 out proto tcp src-port 80,443,8080 $IPFW add queue 273 ip from any to table\(112\) via igb0 out proto tcp src-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 273 ip from any to table\(112\) via igb0 out proto udp src-port 53, 5223, 3478, 3479, 3658, 1200, 5000-5009, 6112-6119, 6881-6999, 7777, 7788 $IPFW add queue 273 ip from any to table\(112\) via igb0 out proto icmp $IPFW add queue 274 ip from any to table\(112\) via igb0 out ########pipe 28 $IPFW sched 28 config type QFQ mask src-ip 0xffffff00 $IPFW queue 281 config sched 28 weight 10 $IPFW queue 282 config sched 28 weight 8 $IPFW queue 283 config sched 28 weight 4 $IPFW queue 284 config sched 28 weight 1 $IPFW add queue 281 ip from table\(113\) to any via igb1 out proto udp dst-port 5060 $IPFW add queue 282 ip from table\(113\) to any via igb1 out proto tcp dst-port 80,443,8080 $IPFW add queue 283 ip from table\(113\) to any via igb1 out proto tcp dst-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 283 ip from table\(113\) to any via igb1 out proto udp dst-port 53, 5223, 3478, 3479, 3658, 1200, 5000-5009, 6112-6119, 6881-6999, 7777, 7788 $IPFW add queue 283 ip from table\(113\) to any via igb1 out proto icmp $IPFW add queue 284 ip from table\(113\) to any via igb1 out P.S. we have another computer if_bridge2. uanme -a: FreeBSD 7.2-STABLE-200906 FreeBSD 7.2-STABLE-200906 #1: Tue Oct 6 10:26:41 MSD 2009 /usr/src/sys/amd64/compile/MYKERNEL amd64 We have no any problems with ipfw or shaping on this machine. We use this config on it: $IPFW pipe 27 config bw 32000Kbit/s mask dst-ip 0xffffffff $IPFW pipe 28 config bw 34000Kbit/s mask src-ip 0xffffffff $IPFW add pipe 27 ip from any to table\(112\) via igb0 out $IPFW add pipe 28 ip from table\(113\) to any via igb1 out $IPFW add pipe 27 ip from any to table\(112\) via igb2 out $IPFW add pipe 28 ip from table\(113\) to any via igb3 out $IPFW add allow ip from any to table\(112\) $IPFW add allow ip from table\(113\) to any We try to shape speed on if_bridge1 with config like on if_bridge2 - but the problem repeated. Maybe you deal with this problem? From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 19 16:47:15 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ABDBA106566B for ; Sat, 19 Jun 2010 16:47:15 +0000 (UTC) (envelope-from freebsd-ipfw@m.gmane.org) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by mx1.freebsd.org (Postfix) with ESMTP id 66FEC8FC15 for ; Sat, 19 Jun 2010 16:47:15 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1OQ1CK-0004g9-M6 for freebsd-ipfw@freebsd.org; Sat, 19 Jun 2010 18:47:12 +0200 Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 19 Jun 2010 18:47:12 +0200 Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 19 Jun 2010 18:47:12 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ipfw@freebsd.org connect(): No such file or directory From: Marcin Wisnicki Date: Sat, 19 Jun 2010 16:47:00 +0000 (UTC) Lines: 25 Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl User-Agent: Pan/0.132 (Waxed in Black) Subject: tcpdump on ipfw0 and ipv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Jun 2010 16:47:15 -0000 I'm trying to log ipv6 traffic with following rule: ipfw add 10 set 6 count log ip6 from any to any with `ipfw enable verbose` it is correctly logged to /var/log/security: > Jun 19 18:40:16 ghost kernel: ipfw: 10 Count TCP [...]:56233 [...]:22 in via vr0 however when I do `ipfw disable verbose` and `tpdump -ni ipfw0` all I can see is: # tcpdump -ni ipfw0 tcpdump: WARNING: ipfw0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ipfw0, link-type EN10MB (Ethernet), capture size 96 bytes 18:41:43.563579 IP6 , wrong link-layer encapsulationbad-hlen 0 18:41:43.563598 IP6 , wrong link-layer encapsulationbad-hlen 0 18:41:43.563747 IP6 , wrong link-layer encapsulationbad-hlen 0 Am I doing something wrong or is logging to ipfw0 broken for ip6 ? uname: FreeBSD 8.1-PRERELEASE #3: Sun Jun 6 21:14:57 CEST 2010 from sources checked out that day