From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 27 04:47:38 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6277C1065672; Mon, 27 Jun 2011 04:47:38 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3A8178FC0A; Mon, 27 Jun 2011 04:47:38 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5R4lcgW088090; Mon, 27 Jun 2011 04:47:38 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5R4lbbb088086; Mon, 27 Jun 2011 04:47:37 GMT (envelope-from ae) Date: Mon, 27 Jun 2011 04:47:37 GMT Message-Id: <201106270447.p5R4lbbb088086@freefall.freebsd.org> To: yar@mail.zp.ua, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/93300: [ipfw] ipfw pipe lost packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 04:47:38 -0000 Synopsis: [ipfw] ipfw pipe lost packets State-Changed-From-To: feedback->closed State-Changed-By: ae State-Changed-When: Mon Jun 27 04:47:18 UTC 2011 State-Changed-Why: Feedback timeout. http://www.freebsd.org/cgi/query-pr.cgi?pr=93300 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 27 04:48:53 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66C5A1065673; Mon, 27 Jun 2011 04:48:53 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3E2608FC15; Mon, 27 Jun 2011 04:48:53 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5R4mrF1088315; Mon, 27 Jun 2011 04:48:53 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5R4mqJF088310; Mon, 27 Jun 2011 04:48:52 GMT (envelope-from ae) Date: Mon, 27 Jun 2011 04:48:52 GMT Message-Id: <201106270448.p5R4mqJF088310@freefall.freebsd.org> To: kaeptn@schmalzbauer.de, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/98831: [ipfw] ipfw has UDP hickups X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 04:48:53 -0000 Synopsis: [ipfw] ipfw has UDP hickups State-Changed-From-To: feedback->closed State-Changed-By: ae State-Changed-When: Mon Jun 27 04:48:31 UTC 2011 State-Changed-Why: Feedback timeout. http://www.freebsd.org/cgi/query-pr.cgi?pr=98831 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 27 04:52:29 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EA08B106566B; Mon, 27 Jun 2011 04:52:29 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C1ED28FC0C; Mon, 27 Jun 2011 04:52:29 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5R4qTFk096521; Mon, 27 Jun 2011 04:52:29 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5R4qTZL096517; Mon, 27 Jun 2011 04:52:29 GMT (envelope-from ae) Date: Mon, 27 Jun 2011 04:52:29 GMT Message-Id: <201106270452.p5R4qTZL096517@freefall.freebsd.org> To: myz@csu.ru, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/112561: [ipfw] ipfw fwd does not work with some TCP packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 04:52:30 -0000 Synopsis: [ipfw] ipfw fwd does not work with some TCP packets State-Changed-From-To: feedback->closed State-Changed-By: ae State-Changed-When: Mon Jun 27 04:50:44 UTC 2011 State-Changed-Why: Feedback timeout. http://www.freebsd.org/cgi/query-pr.cgi?pr=112561 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 27 07:51:49 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 69F94106564A; Mon, 27 Jun 2011 07:51:49 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 42A4F8FC08; Mon, 27 Jun 2011 07:51:49 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5R7pnLQ091856; Mon, 27 Jun 2011 07:51:49 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5R7pmp6091852; Mon, 27 Jun 2011 07:51:48 GMT (envelope-from ae) Date: Mon, 27 Jun 2011 07:51:48 GMT Message-Id: <201106270751.p5R7pmp6091852@freefall.freebsd.org> To: edwin@mavetju.org, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: docs/113803: [patch] ipfw(8) - don't get bitten by the fwd rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 07:51:49 -0000 Synopsis: [patch] ipfw(8) - don't get bitten by the fwd rule State-Changed-From-To: open->closed State-Changed-By: ae State-Changed-When: Mon Jun 27 07:45:59 UTC 2011 State-Changed-Why: The manual page already has a note about need of the custom kernel configuration. When ipfw is used as module it reports that forwarding is disabled and returns error for each fwd rule. http://www.freebsd.org/cgi/query-pr.cgi?pr=113803 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 27 08:03:16 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F20AE1065672; Mon, 27 Jun 2011 08:03:16 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CB4378FC0A; Mon, 27 Jun 2011 08:03:16 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5R83GPP001277; Mon, 27 Jun 2011 08:03:16 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5R83Giq001272; Mon, 27 Jun 2011 08:03:16 GMT (envelope-from ae) Date: Mon, 27 Jun 2011 08:03:16 GMT Message-Id: <201106270803.p5R83Giq001272@freefall.freebsd.org> To: maneo@bsdpro.com, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/55984: [ipfw] [patch] time based firewalling support for ipfw2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 08:03:17 -0000 Synopsis: [ipfw] [patch] time based firewalling support for ipfw2 State-Changed-From-To: open->suspended State-Changed-By: ae State-Changed-When: Mon Jun 27 07:56:31 UTC 2011 State-Changed-Why: Personally i recommend to use sets of rules and switch between them with cron(8). But maybe someone will find this feature interesting, so i suspend this PR. http://www.freebsd.org/cgi/query-pr.cgi?pr=55984 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 27 11:07:05 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2FAE31065670 for ; Mon, 27 Jun 2011 11:07:05 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1F1818FC0A for ; Mon, 27 Jun 2011 11:07:05 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5RB75lW071870 for ; Mon, 27 Jun 2011 11:07:05 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5RB74pJ071868 for freebsd-ipfw@FreeBSD.org; Mon, 27 Jun 2011 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 27 Jun 2011 11:07:04 GMT Message-Id: <201106271107.p5RB74pJ071868@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 11:07:05 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets p kern/157957 ipfw [libalias][patch] alias_ftp does not alias data sessio p kern/157867 ipfw [patch][ipfw] natd globalport support for ipfw nat o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int p kern/157379 ipfw [ipfw] mtr does not work if I use ipfw nat p kern/157239 ipfw [ipfw] [dummynet] ipfw + dummynet corrupts ipv6 packet o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and o bin/156653 ipfw ipfw(8) reports missing file as parameter problem o kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo p kern/150798 ipfw [ipfw] ipfw2 fwd rule matches packets but does not do o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles p kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior p kern/129093 ipfw [ipfw] ipfw nat must not drop packets f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip p kern/122109 ipfw [ipfw] ipfw nat traceroute problem s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 59 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 27 12:53:45 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3FAF106564A; Mon, 27 Jun 2011 12:53:44 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CCDB08FC1F; Mon, 27 Jun 2011 12:53:44 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5RCribx078218; Mon, 27 Jun 2011 12:53:44 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5RCri3C078214; Mon, 27 Jun 2011 12:53:44 GMT (envelope-from ae) Date: Mon, 27 Jun 2011 12:53:44 GMT Message-Id: <201106271253.p5RCri3C078214@freefall.freebsd.org> To: dan@obluda.cz, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 12:53:45 -0000 Synopsis: [ipfw] [patch] ipfw_divert damages IPv6 packets State-Changed-From-To: open->patched State-Changed-By: ae State-Changed-When: Mon Jun 27 12:53:05 UTC 2011 State-Changed-Why: Patched in head/ with r223593. http://www.freebsd.org/cgi/query-pr.cgi?pr=128260 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 28 00:18:48 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 05C4D1065673 for ; Tue, 28 Jun 2011 00:18:48 +0000 (UTC) (envelope-from mlmichael70@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 895FB8FC13 for ; Tue, 28 Jun 2011 00:18:47 +0000 (UTC) Received: by wwe6 with SMTP id 6so4922458wwe.31 for ; Mon, 27 Jun 2011 17:18:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=44xljyV6gixl85TkvIgM0phW2MGKwbtF8kIOLjitwwY=; b=yDkRMliKoQDNTouhQT2YQeLVh/gNl8q/iICheeMDhsZSndfAMkMjsjxr0fm/KwP8P/ mD+rPU/YgII5kktwe61m9BSqpLiZxaxinGvwjKghbajqdTBzhwSSMdaM51szrbiUV1id Aqpi+ulKqlAuB3l2KSrtp9ja+XKh2ds6+1lpM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=FIXGEkmdBReVI0V2Gnd3LhEW8SD2XrlN/4wvxk+D3QWOq8M6T4JwAU0iR3sMqsGBHh Mt6FqRznw1yAUE9mSDd9uLRv1UHo3ZhO713eKkPnxQ1G/O4zT7wNWNDHY191dmJMKTI3 j1VWAe7FQbDi3oaZ4B4HPeN344kXvk1sUcrAk= Received: by 10.216.65.149 with SMTP id f21mr6455324wed.39.1309218805427; Mon, 27 Jun 2011 16:53:25 -0700 (PDT) Received: from prime.nonspace ([217.171.129.80]) by mx.google.com with ESMTPS id fe4sm3641336wbb.11.2011.06.27.16.53.22 (version=SSLv3 cipher=OTHER); Mon, 27 Jun 2011 16:53:25 -0700 (PDT) Message-ID: <4E0917E8.5020904@gmail.com> Date: Tue, 28 Jun 2011 00:53:12 +0100 From: Michael User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.18) Gecko/20110622 Thunderbird/3.1.11 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw news X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 00:18:48 -0000 I'm delighted to see that so much work is being done recently on ipfw, i.e. patching. But it also makes me wonder if there is anything new cooking for FreeBSD 9.0? Anybody knows? Michael From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 28 05:26:16 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6DC64106564A; Tue, 28 Jun 2011 05:26:16 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0D8E58FC0C; Tue, 28 Jun 2011 05:26:16 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5S5QFhb091081; Tue, 28 Jun 2011 05:26:15 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5S5QFPA091077; Tue, 28 Jun 2011 05:26:15 GMT (envelope-from ae) Date: Tue, 28 Jun 2011 05:26:15 GMT Message-Id: <201106280526.p5S5QFPA091077@freefall.freebsd.org> To: freebsd-rc@FreeBSD.org, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org, freebsd-rc@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: conf/123119: [patch] rc script for ipfw does not handle IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 05:26:16 -0000 Synopsis: [patch] rc script for ipfw does not handle IPv6 Responsible-Changed-From-To: freebsd-ipfw->freebsd-rc Responsible-Changed-By: ae Responsible-Changed-When: Tue Jun 28 05:21:43 UTC 2011 Responsible-Changed-Why: Reassign to freebsd-rc@. This functionality is already present in head/ and stable/8. But stable/7 does not support some needed features in rc.subr and in the kernel to merge this support. http://www.freebsd.org/cgi/query-pr.cgi?pr=123119 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 28 05:32:47 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3CCA1065678; Tue, 28 Jun 2011 05:32:47 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8CB4F8FC23; Tue, 28 Jun 2011 05:32:47 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5S5WlTG001114; Tue, 28 Jun 2011 05:32:47 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5S5WlU2001109; Tue, 28 Jun 2011 05:32:47 GMT (envelope-from ae) Date: Tue, 28 Jun 2011 05:32:47 GMT Message-Id: <201106280532.p5S5WlU2001109@freefall.freebsd.org> To: dima_bsd@inbox.lv, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/144187: [ipfw] deadlock using multiple ipfw nat and multiple limit statements X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 05:32:47 -0000 Synopsis: [ipfw] deadlock using multiple ipfw nat and multiple limit statements State-Changed-From-To: open->feedback State-Changed-By: ae State-Changed-When: Tue Jun 28 05:29:45 UTC 2011 State-Changed-Why: Can you still reproduce this on a supported release? Or maybe you can test your rules on head/ branch? There were some changes related to ipfw_nat. http://www.freebsd.org/cgi/query-pr.cgi?pr=144187 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 28 05:41:52 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA3E41065670; Tue, 28 Jun 2011 05:41:52 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id A2A948FC08; Tue, 28 Jun 2011 05:41:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5S5fqOr010167; Tue, 28 Jun 2011 05:41:52 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5S5fpmH010163; Tue, 28 Jun 2011 05:41:51 GMT (envelope-from ae) Date: Tue, 28 Jun 2011 05:41:51 GMT Message-Id: <201106280541.p5S5fpmH010163@freefall.freebsd.org> To: admin@xaker1.ru, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/155927: [ipfw] ipfw stops to check packets for compliance with the rules, letting everything Rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 05:41:52 -0000 Synopsis: [ipfw] ipfw stops to check packets for compliance with the rules, letting everything Rules State-Changed-From-To: open->feedback State-Changed-By: ae State-Changed-When: Tue Jun 28 05:36:11 UTC 2011 State-Changed-Why: Can you still reproduce this? It seems that you have misconfigured something. http://www.freebsd.org/cgi/query-pr.cgi?pr=155927 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 28 06:01:07 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D4EC1065676; Tue, 28 Jun 2011 06:01:07 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EA8428FC13; Tue, 28 Jun 2011 06:01:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5S61685020543; Tue, 28 Jun 2011 06:01:06 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5S615Bv020427; Tue, 28 Jun 2011 06:01:05 GMT (envelope-from ae) Date: Tue, 28 Jun 2011 06:01:05 GMT Message-Id: <201106280601.p5S615Bv020427@freefall.freebsd.org> To: barry@unix.co.nz, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/91847: [ipfw] ipfw with vlanX as the device X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 06:01:07 -0000 Synopsis: [ipfw] ipfw with vlanX as the device State-Changed-From-To: open->feedback State-Changed-By: ae State-Changed-When: Tue Jun 28 06:00:28 UTC 2011 State-Changed-Why: Can you still reproduce this on a supported release? http://www.freebsd.org/cgi/query-pr.cgi?pr=91847 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 28 07:33:35 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76A5E106566C; Tue, 28 Jun 2011 07:33:35 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4F2F58FC08; Tue, 28 Jun 2011 07:33:35 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5S7XZ9O031843; Tue, 28 Jun 2011 07:33:35 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5S7XZuq031826; Tue, 28 Jun 2011 07:33:35 GMT (envelope-from ae) Date: Tue, 28 Jun 2011 07:33:35 GMT Message-Id: <201106280733.p5S7XZuq031826@freefall.freebsd.org> To: jclear@speakeasy.net, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: bin/156653: ipfw(8) reports missing file as parameter problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 07:33:35 -0000 Synopsis: ipfw(8) reports missing file as parameter problem State-Changed-From-To: open->feedback State-Changed-By: ae State-Changed-When: Tue Jun 28 07:32:47 UTC 2011 State-Changed-Why: Can you provide exact commands to reproduce this? http://www.freebsd.org/cgi/query-pr.cgi?pr=156653 From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 28 22:24:31 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 065CE106564A for ; Tue, 28 Jun 2011 22:24:31 +0000 (UTC) (envelope-from jclear@speakeasy.net) Received: from mail8.sea5.speakeasy.net (mail8.sea5.speakeasy.net [69.17.117.53]) by mx1.freebsd.org (Postfix) with ESMTP id D76218FC0A for ; Tue, 28 Jun 2011 22:24:30 +0000 (UTC) Received: (qmail 31152 invoked from network); 28 Jun 2011 21:57:48 -0000 Received: from pool-98-111-129-18.phlapa.fios.verizon.net (HELO [192.168.1.3]) (jclear@[98.111.129.18]) (envelope-sender ) by mail8.sea5.speakeasy.net (qmail-ldap-1.03) with AES128-SHA encrypted SMTP for ; 28 Jun 2011 21:57:48 -0000 References: <201106280733.p5S7XZuq031826@freefall.freebsd.org> In-Reply-To: <201106280733.p5S7XZuq031826@freefall.freebsd.org> Mime-Version: 1.0 (iPod Mail 8J2) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <76B9FC50-5FC9-4394-880E-09A45F92B856@speakeasy.net> X-Mailer: iPod Mail (8J2) From: Jed Clear Date: Tue, 28 Jun 2011 17:58:43 -0400 To: "ae@FreeBSD.org" Cc: "ae@FreeBSD.org" , "jclear@speakeasy.net" , "freebsd-ipfw@FreeBSD.org" Subject: Re: bin/156653: ipfw(8) reports missing file as parameter problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2011 22:24:31 -0000 I guess it would have been clearer if I'd said /path/to/a/non/existent/file i= n the ticket. Although I was missing the file in the current directory so w= asn't using a path. Probably worth testing how it behaves if you give it an= invalid directory as well as a missing file.=20 -Jed On Jun 28, 2011, at 7:33 AM, ae@FreeBSD.org wrote: > Synopsis: ipfw(8) reports missing file as parameter problem >=20 > State-Changed-From-To: open->feedback > State-Changed-By: ae > State-Changed-When: Tue Jun 28 07:32:47 UTC 2011 > State-Changed-Why:=20 > Can you provide exact commands to reproduce this? >=20 > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D156653 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 02:30:13 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F64C106566C for ; Wed, 29 Jun 2011 02:30:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1FE478FC0C for ; Wed, 29 Jun 2011 02:30:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5T2UCFd089415 for ; Wed, 29 Jun 2011 02:30:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5T2UCKX089410; Wed, 29 Jun 2011 02:30:12 GMT (envelope-from gnats) Date: Wed, 29 Jun 2011 02:30:12 GMT Message-Id: <201106290230.p5T2UCKX089410@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Jed Clear Cc: Subject: Re: bin/156653: ipfw(8) reports missing file as parameter problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jed Clear List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 02:30:13 -0000 The following reply was made to PR bin/156653; it has been noted by GNATS. From: Jed Clear To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/156653: ipfw(8) reports missing file as parameter problem Date: Tue, 28 Jun 2011 21:58:29 -0400 "ipfw -n -p cpp /path/to/missing_file" still works in 8.1 to generate = the misleading error message. (Assuming one doesn't have the file = /path/to/missing_file on ones system.) The issue not that a missing = file caused an error, but why that is reported as "illegal option -- p" = instead of something like "no such file or directory". -Jed clear@net5501:~> ipfw -n -p cpp /path/to/missing_file ipfw: illegal option -- p ipfw: usage: ipfw [options] do "ipfw -h" or "man ipfw" for details clear@net5501:~> uname -a FreeBSD net5501 8.1-RELEASE-p4 FreeBSD 8.1-RELEASE-p4 #0: Sat May 28 = 15:02:21 EDT 2011 = root@fbsdam3.my.domain:/usr/obj/nanobsd.custom/i386/usr/src/sys/JEDWALL = i386 clear@net5501:~>=20 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 06:48:42 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCCCB1065673; Wed, 29 Jun 2011 06:48:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 95A838FC08; Wed, 29 Jun 2011 06:48:42 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5T6mg5H036787; Wed, 29 Jun 2011 06:48:42 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5T6mg7j036783; Wed, 29 Jun 2011 06:48:42 GMT (envelope-from ae) Date: Wed, 29 Jun 2011 06:48:42 GMT Message-Id: <201106290648.p5T6mg7j036783@freefall.freebsd.org> To: jclear@speakeasy.net, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: bin/156653: ipfw(8) reports missing file as parameter problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 06:48:42 -0000 Synopsis: ipfw(8) reports missing file as parameter problem State-Changed-From-To: feedback->patched State-Changed-By: ae State-Changed-When: Wed Jun 29 06:48:14 UTC 2011 State-Changed-Why: Patched in head/. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=156653 From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 06:50:09 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CC44106566B for ; Wed, 29 Jun 2011 06:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 540438FC0C for ; Wed, 29 Jun 2011 06:50:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p5T6o9aa037021 for ; Wed, 29 Jun 2011 06:50:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p5T6o9rL037020; Wed, 29 Jun 2011 06:50:09 GMT (envelope-from gnats) Date: Wed, 29 Jun 2011 06:50:09 GMT Message-Id: <201106290650.p5T6o9rL037020@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: bin/156653: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 06:50:09 -0000 The following reply was made to PR bin/156653; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: bin/156653: commit references a PR Date: Wed, 29 Jun 2011 06:45:58 +0000 (UTC) Author: ae Date: Wed Jun 29 06:45:44 2011 New Revision: 223661 URL: http://svn.freebsd.org/changeset/base/223661 Log: Improve error reporting. Use corresponding error message when file to be preprocessed is missing. Also suggest to use absolute pathname if -p option is specified. PR: bin/156653 MFC after: 2 weeks Modified: head/sbin/ipfw/main.c Modified: head/sbin/ipfw/main.c ============================================================================== --- head/sbin/ipfw/main.c Wed Jun 29 05:41:14 2011 (r223660) +++ head/sbin/ipfw/main.c Wed Jun 29 06:45:44 2011 (r223661) @@ -262,7 +262,7 @@ ipfw_main(int oldac, char **oldav) save_av = av; optind = optreset = 1; /* restart getopt() */ - while ((ch = getopt(ac, av, "abcdefhinNqs:STtv")) != -1) + while ((ch = getopt(ac, av, "abcdefhinNp:qs:STtv")) != -1) switch (ch) { case 'a': do_acct = 1; @@ -306,6 +306,10 @@ ipfw_main(int oldac, char **oldav) co.do_resolv = 1; break; + case 'p': + errx(EX_USAGE, "An absolute pathname must be used " + "with -p option."); + case 'q': co.do_quiet = 1; break; @@ -603,9 +607,12 @@ main(int ac, char *av[]) * as a file to be preprocessed. */ - if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) - ipfw_readfile(ac, av); - else { + if (ac > 1 && av[ac - 1][0] == '/') { + if (access(av[ac - 1], R_OK) == 0) + ipfw_readfile(ac, av); + else + err(EX_USAGE, "pathname: %s", av[ac - 1]); + } else { if (ipfw_main(ac, av)) { errx(EX_USAGE, "usage: ipfw [options]\n" _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 11:17:44 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A0C9106566C for ; Wed, 29 Jun 2011 11:17:44 +0000 (UTC) (envelope-from freebsd@ouarz.net) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) by mx1.freebsd.org (Postfix) with ESMTP id ED7688FC14 for ; Wed, 29 Jun 2011 11:17:43 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1QbsTs-00027V-KG for freebsd-ipfw@freebsd.org; Wed, 29 Jun 2011 03:58:52 -0700 Date: Wed, 29 Jun 2011 03:58:52 -0700 (PDT) From: franck To: freebsd-ipfw@freebsd.org Message-ID: <1309345132620-4534755.post@n5.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: using tables = ipfw: ipfw_install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 11:17:44 -0000 Hi, On a new FreeBSD 8.2 server, ipfw complains of too many dynamic rules as traffic increases. e.g. "ipfw: ipfw_install_state: Too many dynamic rules") Is the following set of rules too complex? What would be the best/generic approach to setup ipfw for a standard web server? Any recommendations? 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny tcp from any to any frag 00500 allow ip from table(1) to any keep-state 00600 check-state 00700 allow tcp from any to any established 00800 allow ip from any to any out keep-state 00900 allow icmp from any to any 01000 allow udp from me to any dst-port 53 keep-state 01100 allow udp from me to any dst-port 123 keep-state 01200 allow tcp from any to any dst-port 747 setup keep-state 01300 deny ip from table(2) to any 20000 allow tcp from any to any dst-port 80,443 setup keep-state 20100 deny log logamount 1000 ip from any to any 65535 deny ip from any to any Note that: - table 1: holds whitelist of IPs - table 2: holds blacklist of IPs Regards, Franck -- View this message in context: http://freebsd.1045724.n5.nabble.com/using-tables-ipfw-ipfw-install-state-Too-many-dynamic-rules-tp4534755p4534755.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 19:03:18 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4182A106564A for ; Wed, 29 Jun 2011 19:03:18 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 02FE58FC14 for ; Wed, 29 Jun 2011 19:03:17 +0000 (UTC) Received: by qwc9 with SMTP id 9so1059168qwc.13 for ; Wed, 29 Jun 2011 12:03:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.190.83 with SMTP id dh19mr874779qcb.175.1309374197013; Wed, 29 Jun 2011 12:03:17 -0700 (PDT) Received: by 10.229.226.131 with HTTP; Wed, 29 Jun 2011 12:03:16 -0700 (PDT) In-Reply-To: References: <1309345132620-4534755.post@n5.nabble.com> Date: Wed, 29 Jun 2011 12:03:16 -0700 Message-ID: From: Michael Sierchio To: franck Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: using tables = ipfw: ipfw_install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 19:03:18 -0000 Sorry, revise my remarks about path mtu - pre-coffee. But you don't really want to drop those explicitly, at least not silently. Let TCP take care of it. Also, if you want to permit ICMP, you should probably restrict it to reasonable icmptypes (echo, echo reply, error need-frag, etc.) On Wed, Jun 29, 2011 at 11:34 AM, Michael Sierchio wro= te: > If table 2 contains a blacklist, why not deny traffic at the top? > > Why are you silently dropping fragmented TCP packets? =A0This will break > Path MTU discovery. > > Why do you have a check-state rule after rule 500? That's backwards. > You might consider putting check-state at the beginning. > > You don't want to explicitly permit tcp established - that's done by > the dynamic rules. =A0This one rule may be the culprit, but the rest of > your rules need improvement too. ;-) > > Are you running services on 80,443,747 on this host? =A0Or another > internal host? > > Rule 500 is broken, because TCP works differently from ICMP and UDP, > and you only want to use the keep-state directive on packets with the > SYN bit set. > > Even if you have only one interface, 'out' is ambiguous - best to > specify the interface. > > You don't need the 'me' rules, since 'any' includes me. > > Try something like the following (pretend your external interface is 'eth= 0'): > > allow ip from any to any via lo0 > > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > deny ip from table\(2\) to any > > check-state > > deny tcp from any to any established > > allow tcp from any to any dst-port 80,443,747 in recv eth0 setup keep-sta= te > > allow tcp from table\(1\) to any in recv eth0 setup keep-state > allow udp from table\(1\) to any in recv eth0 keep-state > allow icmp from table\(1\) to any in recv eth0 keep-state > > allow tcp from any to any out xmit eth0 setup keep-state > allow udp from any to any out xmit eth0 keep-state > allow icmp from any to any out xmit eth0 keep-state > > deny log logamount 1000 ip from any to any > > > > > > On Wed, Jun 29, 2011 at 3:58 AM, franck wrote: >> Hi, >> >> On a new FreeBSD 8.2 server, ipfw complains of too many dynamic rules as >> traffic increases. >> e.g. =A0"ipfw: ipfw_install_state: Too many dynamic rules") >> >> Is the following set of rules too complex? What would be the best/generi= c >> approach to setup ipfw for a standard web server? Any recommendations? >> >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00300 deny ip from 127.0.0.0/8 to any >> 00400 deny tcp from any to any frag >> 00500 allow ip from table(1) to any keep-state >> 00600 check-state >> 00700 allow tcp from any to any established >> 00800 allow ip from any to any out keep-state >> 00900 allow icmp from any to any >> 01000 allow udp from me to any dst-port 53 keep-state >> 01100 allow udp from me to any dst-port 123 keep-state >> 01200 allow tcp from any to any dst-port 747 setup keep-state >> 01300 deny ip from table(2) to any >> 20000 allow tcp from any to any dst-port 80,443 setup keep-state >> 20100 deny log logamount 1000 ip from any to any >> 65535 deny ip from any to any >> >> Note that: >> - table 1: holds whitelist of IPs >> - table 2: holds blacklist of IPs >> >> Regards, >> Franck >> >> -- >> View this message in context: http://freebsd.1045724.n5.nabble.com/using= -tables-ipfw-ipfw-install-state-Too-many-dynamic-rules-tp4534755p4534755.ht= ml >> Sent from the freebsd-ipfw mailing list archive at Nabble.com. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 19:04:57 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5BA3106566C for ; Wed, 29 Jun 2011 19:04:57 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7C1B08FC0C for ; Wed, 29 Jun 2011 19:04:57 +0000 (UTC) Received: by qyk38 with SMTP id 38so1056075qyk.13 for ; Wed, 29 Jun 2011 12:04:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.44.74 with SMTP id z10mr811003qce.213.1309372488883; Wed, 29 Jun 2011 11:34:48 -0700 (PDT) Received: by 10.229.226.131 with HTTP; Wed, 29 Jun 2011 11:34:48 -0700 (PDT) In-Reply-To: <1309345132620-4534755.post@n5.nabble.com> References: <1309345132620-4534755.post@n5.nabble.com> Date: Wed, 29 Jun 2011 11:34:48 -0700 Message-ID: From: Michael Sierchio To: franck Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: using tables = ipfw: ipfw_install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 19:04:57 -0000 If table 2 contains a blacklist, why not deny traffic at the top? Why are you silently dropping fragmented TCP packets? This will break Path MTU discovery. Why do you have a check-state rule after rule 500? That's backwards. You might consider putting check-state at the beginning. You don't want to explicitly permit tcp established - that's done by the dynamic rules. This one rule may be the culprit, but the rest of your rules need improvement too. ;-) Are you running services on 80,443,747 on this host? Or another internal host? Rule 500 is broken, because TCP works differently from ICMP and UDP, and you only want to use the keep-state directive on packets with the SYN bit set. Even if you have only one interface, 'out' is ambiguous - best to specify the interface. You don't need the 'me' rules, since 'any' includes me. Try something like the following (pretend your external interface is 'eth0'= ): allow ip from any to any via lo0 deny ip from any to 127.0.0.0/8 deny ip from 127.0.0.0/8 to any deny ip from table\(2\) to any check-state deny tcp from any to any established allow tcp from any to any dst-port 80,443,747 in recv eth0 setup keep-state allow tcp from table\(1\) to any in recv eth0 setup keep-state allow udp from table\(1\) to any in recv eth0 keep-state allow icmp from table\(1\) to any in recv eth0 keep-state allow tcp from any to any out xmit eth0 setup keep-state allow udp from any to any out xmit eth0 keep-state allow icmp from any to any out xmit eth0 keep-state deny log logamount 1000 ip from any to any On Wed, Jun 29, 2011 at 3:58 AM, franck wrote: > Hi, > > On a new FreeBSD 8.2 server, ipfw complains of too many dynamic rules as > traffic increases. > e.g. =A0"ipfw: ipfw_install_state: Too many dynamic rules") > > Is the following set of rules too complex? What would be the best/generic > approach to setup ipfw for a standard web server? Any recommendations? > > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny tcp from any to any frag > 00500 allow ip from table(1) to any keep-state > 00600 check-state > 00700 allow tcp from any to any established > 00800 allow ip from any to any out keep-state > 00900 allow icmp from any to any > 01000 allow udp from me to any dst-port 53 keep-state > 01100 allow udp from me to any dst-port 123 keep-state > 01200 allow tcp from any to any dst-port 747 setup keep-state > 01300 deny ip from table(2) to any > 20000 allow tcp from any to any dst-port 80,443 setup keep-state > 20100 deny log logamount 1000 ip from any to any > 65535 deny ip from any to any > > Note that: > - table 1: holds whitelist of IPs > - table 2: holds blacklist of IPs > > Regards, > Franck > > -- > View this message in context: http://freebsd.1045724.n5.nabble.com/using-= tables-ipfw-ipfw-install-state-Too-many-dynamic-rules-tp4534755p4534755.htm= l > Sent from the freebsd-ipfw mailing list archive at Nabble.com. > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 30 01:12:55 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 36EB5106564A for ; Thu, 30 Jun 2011 01:12:55 +0000 (UTC) (envelope-from gregoire.leroy@retenodus.net) Received: from slow3-v.mail.gandi.net (slow3-v.mail.gandi.net [217.70.178.89]) by mx1.freebsd.org (Postfix) with ESMTP id 892FB8FC0A for ; Thu, 30 Jun 2011 01:12:54 +0000 (UTC) X-WhiteListed: mail was accepted with no delay X-WhiteListed: mail was accepted with no delay Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by slow3-v.mail.gandi.net (Postfix) with ESMTP id A76F03839D for ; Thu, 30 Jun 2011 03:01:57 +0200 (CEST) X-Originating-IP: 217.70.178.134 Received: from mfilter4-d.gandi.net (mfilter4-d.gandi.net [217.70.178.134]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id 82582172083 for ; Thu, 30 Jun 2011 03:01:45 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter4-d.gandi.net Received: from relay4-d.mail.gandi.net ([217.70.183.196]) by mfilter4-d.gandi.net (mfilter4-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id aZ6Y+Ma6dPDE for ; Thu, 30 Jun 2011 03:01:43 +0200 (CEST) X-Originating-IP: 212.234.55.192 Received: from rena.localnet (unknown [212.234.55.192]) (Authenticated sender: lupuscramus@hyperthese.net) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 5DD6217207B for ; Thu, 30 Jun 2011 03:01:43 +0200 (CEST) From: =?iso-8859-1?q?Gr=E9goire_Leroy?= To: freebsd-ipfw@freebsd.org Date: Thu, 30 Jun 2011 03:01:42 +0200 User-Agent: KMail/1.13.7 (Linux/2.6.39-2-amd64; KDE/4.6.4; x86_64; ; ) X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201106300301.42182.gregoire.leroy@retenodus.net> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Load balancing ipfw + NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jun 2011 01:12:55 -0000 Hi, I try to use load-balancing with IPFW. I've 3 lines : 2 ADSL and 1 SDSL. I = try=20 to loadbalance http trafic on ADSL1(192.168.7.1) and ADSL2(192.168.6.1). My gateway has 4 network devices. 1 for each line (em 1 ->192.168.5.10, em2= ->=20 192.168.6.10, em3 ->192.168.7.10), and one for local network (em0 ->=20 192.168.4.1) On my gateway, there are 3 nat instances : natd -p 8868 -dynamic -interface em3 natd -p 8869 -dynamic -interface em2 natd -p 8868 -dynamic -interface em1 =20 Here is my config relative to the load balanc : $cmd 300 divert 8868 ip from any to any via $adsl1_if $cmd 301 divert 8869 ip from any to any via $adsl2_if $cmd 302 divert 8870 ip from any to any via $sdsl_if $cmd 00320 check-state $cmd 0670 prob 0.5 skipto 17000 tcp from $clients to any $tcp_web setup $ks $cmd 0671 skipto 19000 tcp from $clients to any $tcp_web setup $ks $cmd 017000 divert 8868 ip from $clients to any in $cmd 017500 divert 8868 ip from $clients to any out=20 $cmd 017700 allow all from any to any=20 $cmd 019000 divert 8869 ip from $clients to any out=20 $cmd 019500 divert 8869 ip from $clients to any in $cmd 19700 allow all from any to any=20 $cmd 17550 fwd $isp1 ip from 192.168.7.10 to any=20 $cmd 19550 fwd $isp2 ip from 192.168.6.10 to any=20 $cmd 23500 fwd $isp3 ip from 192.168.5.10 to any=20 $cmd 65534 allow all from any to any ipfw show : 00300 16789 17438940 divert 8868 ip from any to any via em3=20 00301 0 0 divert 8869 ip from any to any via em2=20 00302 0 0 divert 8870 ip from any to any via em1=20 00670 6409 7934908 prob 0.500000 skipto 17000 tcp from 192.168.4.2 to any= =20 dst-port 80,443,25,3128 setup keep-state 00671 21464 26576872 skipto 19000 tcp from 192.168.4.2 to any dst-port=20 80,443,25,3128 setup keep-state 17000 1145 59132 divert 8868 ip from 192.168.4.2 to any in 17500 0 0 divert 8868 ip from 192.168.4.2 to any out 17700 6409 7934908 allow ip from any to any 19000 0 0 divert 8869 ip from 192.168.4.2 to any out 19500 3848 198584 divert 8869 ip from 192.168.4.2 to any in The skipto seems good, so I don't understand why I don't catch packet with = a=20 tcpdump on em2 : it seems that all web traffic pass by em3. Can someone explain me what is wrong ? PS : my work is based on http://lists.freebsd.org/pipermail/freebsd-ipfw/20= 03- August/000399.html Regards, Gr=E9goire leroy From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 1 06:59:42 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44E2C1065672 for ; Fri, 1 Jul 2011 06:59:42 +0000 (UTC) (envelope-from freebsd-ipfw@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 9683E8FC15 for ; Fri, 1 Jul 2011 06:59:41 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.186]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.unitedinsong.com.au (Postfix) with ESMTPS id 88B145C24 for ; Fri, 1 Jul 2011 16:53:41 +1000 (EST) Message-ID: <4E0D6D22.3020604@herveybayaustralia.com.au> Date: Fri, 01 Jul 2011 16:45:54 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20110204 Thunderbird/3.0.11 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPSec forwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2011 06:59:42 -0000 I'm having issues with pf firewall with a binat L2TP/IPSec VPN. From what I understand, no one can get IPSec to work through this firewall- it is unknown what the actual problem is, but it looks like a rekeying problem: the connection is made but rekeying occurs immediately (alleged failure of phase 1/2?). So I come to the folks here at IPFW with a general question: does IPSec have any known issues with IPFW? Including NAT? I've googled but haven't discovered any info on this. I would try testing this myself except for a severe lack of resources to attempt it, I would like some definitive proof that this works so I can try to narrow the problem down with pf (or change systems... :) ). Cheers From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 1 09:00:21 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 771B1106566B for ; Fri, 1 Jul 2011 09:00:21 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 67ABD8FC18 for ; Fri, 1 Jul 2011 09:00:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p6190LwP027078 for ; Fri, 1 Jul 2011 09:00:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p6190LLD027077; Fri, 1 Jul 2011 09:00:21 GMT (envelope-from gnats) Date: Fri, 1 Jul 2011 09:00:21 GMT Message-Id: <201107010900.p6190LLD027077@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Andrey V. Elsukov" Cc: Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be blocked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Andrey V. Elsukov" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2011 09:00:21 -0000 The following reply was made to PR kern/131817; it has been noted by GNATS. From: "Andrey V. Elsukov" To: bug-followup@FreeBSD.org, eugen@grosbein.pp.ru Cc: Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be blocked Date: Fri, 01 Jul 2011 12:56:14 +0400 This is a multi-part message in MIME format. --------------000306040401040406030900 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit Hi, Eugene can you test this patch? -- WBR, Andrey V. Elsukov --------------000306040401040406030900 Content-Type: text/plain; name="arpreply.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="arpreply.diff" Index: head/sys/netinet/if_ether.c =================================================================== --- head/sys/netinet/if_ether.c (revision 223705) +++ head/sys/netinet/if_ether.c (working copy) @@ -857,6 +857,7 @@ reply: ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */ m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln); m->m_pkthdr.len = m->m_len; + m->m_pkthdr.rcvif = NULL; sa.sa_family = AF_ARP; sa.sa_len = 2; (*ifp->if_output)(ifp, m, &sa, NULL); --------------000306040401040406030900-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 1 09:04:59 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23AEE1065679; Fri, 1 Jul 2011 09:04:59 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F16088FC12; Fri, 1 Jul 2011 09:04:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p6194wZc035656; Fri, 1 Jul 2011 09:04:58 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p6194wKd035651; Fri, 1 Jul 2011 09:04:58 GMT (envelope-from ae) Date: Fri, 1 Jul 2011 09:04:58 GMT Message-Id: <201107010904.p6194wKd035651@freefall.freebsd.org> To: eugen@grosbein.pp.ru, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be blocked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2011 09:04:59 -0000 Synopsis: [ipfw] blocks layer2 packets that should not be blocked State-Changed-From-To: open->feedback State-Changed-By: ae State-Changed-When: Fri Jul 1 09:04:38 UTC 2011 State-Changed-Why: Feedback requested. http://www.freebsd.org/cgi/query-pr.cgi?pr=131817 From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 2 08:48:52 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E945E1065672; Sat, 2 Jul 2011 08:48:52 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C126B8FC1C; Sat, 2 Jul 2011 08:48:52 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p628mqpu084159; Sat, 2 Jul 2011 08:48:52 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p628mqVI084154; Sat, 2 Jul 2011 08:48:52 GMT (envelope-from ae) Date: Sat, 2 Jul 2011 08:48:52 GMT Message-Id: <201107020848.p628mqVI084154@freefall.freebsd.org> To: dima_bsd@inbox.lv, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 08:48:53 -0000 Synopsis: [ipfw] ipfw dynamic rules and fwd State-Changed-From-To: open->patched State-Changed-By: ae State-Changed-When: Sat Jul 2 08:48:17 UTC 2011 State-Changed-Why: Patched in head/. http://www.freebsd.org/cgi/query-pr.cgi?pr=147720 From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 2 14:45:27 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4156810656D7 for ; Sat, 2 Jul 2011 14:45:27 +0000 (UTC) (envelope-from cl000116@colombia.dattaweb.com) Received: from colombia.dattaweb.com (colombia.dattaweb.com [200.58.111.45]) by mx1.freebsd.org (Postfix) with ESMTP id F19BB8FC08 for ; Sat, 2 Jul 2011 14:45:26 +0000 (UTC) Received: from cl000116 by colombia.dattaweb.com with local (Exim 4.71) (envelope-from ) id 1Qd0pN-0000hy-5S for freebsd-ipfw@freebsd.org; Sat, 02 Jul 2011 11:05:45 -0300 To: Freebsd Ipfw Date: Sat, 2 Jul 2011 11:05:45 -0300 From: centro medico revitalizare Message-ID: <5207bbe1eaf22ef09c2159883407fe99@kelanea.com.ar> X-Priority: 3 X-Mailer: PHPMailer (phpmailer.sourceforge.net) [version 2.0.4] X-Mailid: 9 X-Subid: 18791 MIME-Version: 1.0 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - colombia.dattaweb.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [619 618] / [502 502] X-AntiAbuse: Sender Address Domain - colombia.dattaweb.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Primavera 2031 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: CMR List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 14:45:27 -0000 F e l i z PRIMAVERA 2 0 3 1 drweschenfeller@gmail.com ( mailto:drweschenfeller@gmail.com ) rositapilotti02@gmail.com ( mailto:rositapilotti02@gmail.com ) CENTRO MEDICO REVITALIZARE® Resistencia Chaco Argentina Hola: queremos invitarte a la fiesta de PRIMAVERA del 2031 y a la de AÑO NUEVO 2032. Te sorprenderá, falta mucho todavía pero lo queremos hacer ahora para que sepas que vas a hacer con los 20 años que te quedan por delante y bien. Que tal, que te parece tener esas dos décadas y bien,con buen estado de salud y buen estado mental la de cosas que se pueden hacer, todo lo que se puede conocer o producir. Es como tener un plus y una nueva vida. Usamos técnicas antiage orthomelculares,quelación para limpieza arterial ,ozonoterapia , limpieza intersticial .Vacuna antiage 2011® Al mismo tiempo realizamos TERAPIAS METABOLICAS REPOLARIZANTES. Magnetoterapia pulsante y medicación con óxido nítrico. Implantes de factores de crecimientos y células madres autólogas por via endovenos. Si te interesa contacta con nosotros a los mails siguientes e vamos a decir como con gusto,drweschenfeller@gmail.com o rositapilotti02@gmail.com ( mailto:rositapilotti02@gmail.com ) y entrando a nuestra página de de revitalizare com podés suscribirte a nuestros fascículos de información y actualización. Queremos buscar entre todos como vivir nuestros primeros 100 años o los que sean pero muy bien!!! .Obvio si ya cumpliste los 100 esto todavía no es para vos. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 2 18:24:30 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 142271065778; Sat, 2 Jul 2011 18:24:30 +0000 (UTC) (envelope-from dima_bsd@inbox.lv) Received: from mgw1.apollo.lv (mgw1.apollo.lv [80.232.168.216]) by mx1.freebsd.org (Postfix) with ESMTP id C60248FC17; Sat, 2 Jul 2011 18:24:29 +0000 (UTC) Received: from [46.109.212.104] (unknown [46.109.212.104]) by mgw1.apollo.lv (Postfix) with ESMTP id 3D5893DF89F; Sat, 2 Jul 2011 21:07:20 +0300 (EEST) From: Dmitriy Demidov To: ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org Date: Sat, 2 Jul 2011 18:07:18 +0000 User-Agent: KMail/1.9.10 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <201107021807.18663.dima_bsd@inbox.lv> X-Brightmail-Tracker: AAAAAA== Cc: Subject: Re: kern/144187: [ipfw] deadlock using multiple ipfw nat and multiple limit statements X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 18:24:30 -0000 > Synopsis: [ipfw] deadlock using multiple ipfw nat and multiple limit > statements State-Changed-From-To: open->feedback > State-Changed-By: ae > State-Changed-When: Tue Jun 28 05:29:45 UTC 2011 > State-Changed-Why: > Can you still reproduce this on a supported release? > Or maybe you can test your rules on head/ branch? > There were some changes related to ipfw_nat. > http://www.freebsd.org/cgi/query-pr.cgi?pr=144187 Hello, I have retested this configuration on today's build of FreeBSD 9-CURRENT i386. It seems that this problem is soved now! I am unable to reproduce deadlock anymore. All is working just fine. Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 2 19:43:50 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81E4A106566B; Sat, 2 Jul 2011 19:43:50 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5A08D8FC12; Sat, 2 Jul 2011 19:43:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p62JhoEE098096; Sat, 2 Jul 2011 19:43:50 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p62Jhn1O098092; Sat, 2 Jul 2011 19:43:49 GMT (envelope-from ae) Date: Sat, 2 Jul 2011 19:43:49 GMT Message-Id: <201107021943.p62Jhn1O098092@freefall.freebsd.org> To: dima_bsd@inbox.lv, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/144187: [ipfw] deadlock using multiple ipfw nat and multiple limit statements X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 19:43:50 -0000 Synopsis: [ipfw] deadlock using multiple ipfw nat and multiple limit statements State-Changed-From-To: feedback->closed State-Changed-By: ae State-Changed-When: Sat Jul 2 19:42:05 UTC 2011 State-Changed-Why: The submitter has reported that the problem is already fixed. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=144187 From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 2 20:50:03 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2824B1065670; Sat, 2 Jul 2011 20:50:03 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EE01B8FC08; Sat, 2 Jul 2011 20:50:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p62Ko2xC057143; Sat, 2 Jul 2011 20:50:02 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p62Ko2KP057139; Sat, 2 Jul 2011 20:50:02 GMT (envelope-from ae) Date: Sat, 2 Jul 2011 20:50:02 GMT Message-Id: <201107022050.p62Ko2KP057139@freefall.freebsd.org> To: borjam@sarenet.es, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/131558: [ipfw] Inconsistent "via" ipfw behavior X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 20:50:03 -0000 Synopsis: [ipfw] Inconsistent "via" ipfw behavior State-Changed-From-To: open->closed State-Changed-By: ae State-Changed-When: Sat Jul 2 20:44:50 UTC 2011 State-Changed-Why: This is documented behaviour. ipfw(8) does not check interface names, because they may be created dynamically. "via" rule option does not support list of interfaces. You can use shell patterns like "via bge*" or or-block sintax "{ via bge0 or via bge1 }". http://www.freebsd.org/cgi/query-pr.cgi?pr=131558