From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 08:27:24 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 277AE106566B for ; Mon, 20 Sep 2010 08:27:24 +0000 (UTC) (envelope-from lars.eggert@nokia.com) Received: from mgw-sa01.nokia.com (smtp.nokia.com [147.243.1.47]) by mx1.freebsd.org (Postfix) with ESMTP id B82668FC08 for ; Mon, 20 Sep 2010 08:27:23 +0000 (UTC) Received: from mail.fit.nokia.com (esdhcp030222.research.nokia.com [172.21.30.222]) by mgw-sa01.nokia.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id o8K7qW4S018745 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 20 Sep 2010 10:52:32 +0300 From: Lars Eggert X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.96.2 at fit.nokia.com Content-Type: multipart/signed; boundary=Apple-Mail-13--428220939; protocol="application/pkcs7-signature"; micalg=sha1 Date: Mon, 20 Sep 2010 10:52:20 +0300 Message-Id: To: "freebsd-ipfw@FreeBSD.org" Mime-Version: 1.0 (Apple Message framework v1081) X-Mailer: Apple Mail (2.1081) X-Spam-Status: No, score=-100.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on fit.nokia.com X-Nokia-AV: Clean X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw & IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2010 08:27:24 -0000 --Apple-Mail-13--428220939 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, anyone know why this commend is failing on 8.1-STABLE? ipfw add deny all from 2001:2060:40:1::123/64, = 2001:0708:0040:fff1::2/64, 2001:0708:0040:f001::1/64 to any in via em5 ipfw: bad netmask ``2060:40:1::123/64'' Looks like there's a parsing issue with IPv6 prefixes;the "2001:" is = being swallowed? Thanks, Lars= --Apple-Mail-13--428220939-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 10:16:55 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76C5C1065672 for ; Mon, 20 Sep 2010 10:16:55 +0000 (UTC) (envelope-from Lee@dilkie.com) Received: from spock.dilkie.com (spock.dilkie.com [IPv6:2001:470:8900::40]) by mx1.freebsd.org (Postfix) with ESMTP id CC4008FC1F for ; Mon, 20 Sep 2010 10:16:54 +0000 (UTC) Received: from [IPv6:2001:470:8900::11] ([IPv6:2001:470:8900::11]) (authenticated bits=0) by spock.dilkie.com (8.14.4/8.14.4) with ESMTP id o8KAGqRZ038277 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Mon, 20 Sep 2010 06:16:53 -0400 (EDT) (envelope-from Lee@dilkie.com) X-DKIM: Sendmail DKIM Filter v2.8.3 spock.dilkie.com o8KAGqRZ038277 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dilkie.com; s=mail; t=1284977813; bh=nUtAUCPlSM/KrWRGnIHEco35JzRjAmNh2jTn5xs3jl4=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type; b=LhRjQ1ywqowvEUE3+U7uD0n0yPte0pE55YrHNAGKSnlJ91CzWQtcfeWW5qwYZvFER ALhRRb3dc7FnUBfI/4V+LfPI9dUmuNpDVIHAV4TCPLqdykiHjTN1BuwHFwr3fsM Message-ID: <4C973494.1000302@dilkie.com> Date: Mon, 20 Sep 2010 06:16:52 -0400 From: Lee Dilkie User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20100915 Lightning/1.0b2 Thunderbird/3.1.4 MIME-Version: 1.0 To: Lars Eggert References: In-Reply-To: X-Enigmail-Version: 1.1.1 X-Scanned-By: MIMEDefang 2.68 on IPv6:2001:470:8900::40 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-ipfw@FreeBSD.org" Subject: Re: ipfw & IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2010 10:16:55 -0000 there's a parsing bug with ipv6 address lists in 7, I guess it isn't fixed yet. I had to make separate rules for each ipv6 address. -lee On 9/20/2010 3:52 AM, Lars Eggert wrote: > Hi, > > anyone know why this commend is failing on 8.1-STABLE? > > ipfw add deny all from 2001:2060:40:1::123/64, 2001:0708:0040:fff1::2/64, 2001:0708:0040:f001::1/64 to any in via em5 > ipfw: bad netmask ``2060:40:1::123/64'' > > Looks like there's a parsing issue with IPv6 prefixes;the "2001:" is being swallowed? > > Thanks, > Lars From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 11:06:57 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C730F1065793 for ; Mon, 20 Sep 2010 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id ABE608FC2A for ; Mon, 20 Sep 2010 11:06:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8KB6vf7014977 for ; Mon, 20 Sep 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8KB6vow014975 for freebsd-ipfw@FreeBSD.org; Mon, 20 Sep 2010 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Sep 2010 11:06:57 GMT Message-Id: <201009201106.o8KB6vow014975@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2010 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/150141 ipfw [ipfw]: Not working kernel nat freeBSD 8.1 o kern/149572 ipfw [ipfw] ipfw kernel nat not working properly o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o kern/122109 ipfw [ipfw] ipfw nat traceroute problem s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 80 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 21 21:30:09 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 52C541065674 for ; Tue, 21 Sep 2010 21:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 41A758FC13 for ; Tue, 21 Sep 2010 21:30:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8LLU8b5085535 for ; Tue, 21 Sep 2010 21:30:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8LLU82e085526; Tue, 21 Sep 2010 21:30:08 GMT (envelope-from gnats) Date: Tue, 21 Sep 2010 21:30:08 GMT Message-Id: <201009212130.o8LLU82e085526@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Alexander V. Chernikov" Cc: Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Alexander V. Chernikov" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Sep 2010 21:30:09 -0000 The following reply was made to PR kern/122109; it has been noted by GNATS. From: "Alexander V. Chernikov" To: bug-followup@FreeBSD.org, m.dyadchenko@211.ru Cc: Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem Date: Wed, 22 Sep 2010 01:24:40 +0400 Problem can be fixed with a small patch: --- /usr/src/sys/netinet/libalias/alias.c.orig 2010-09-22 01:07:19.000000000 +0400 +++ /usr/src/sys/netinet/libalias/alias.c 2010-09-22 01:11:11.000000000 +0400 @@ -432,7 +432,7 @@ } return (PKT_ALIAS_OK); } - return (PKT_ALIAS_IGNORED); + return (PKT_ALIAS_OK); } IcmpAliasIn2() doesn't create state for incoming packets (like IcmpAliasIn1() does) IcmpAliasIn2() is called only in case of ICMP_UNREACH|ICMP_SOURCEQUENCH|ICMP_TIMXCEED|ICMP_PARAMPROB If incoming icmp packet of given type is not found in internal state table we can just pass it to the host system (back to ipfw or netgraph hook, really) without even creating state From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 23 05:18:21 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E26DA106564A; Thu, 23 Sep 2010 05:18:21 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B93928FC1D; Thu, 23 Sep 2010 05:18:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o8N5ILuc022569; Thu, 23 Sep 2010 05:18:21 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o8N5IL54022565; Thu, 23 Sep 2010 05:18:21 GMT (envelope-from linimon) Date: Thu, 23 Sep 2010 05:18:21 GMT Message-Id: <201009230518.o8N5IL54022565@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/150798: [ipfw] ipfw2 fwd rule matches packets but does not do the job in fact. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Sep 2010 05:18:22 -0000 Old Synopsis: ipfw2 fwd rule matches packets but does not do the job in fact. New Synopsis: [ipfw] ipfw2 fwd rule matches packets but does not do the job in fact. Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Thu Sep 23 05:17:52 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=150798