From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 30 11:07:38 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D7406106564A for ; Mon, 30 Jan 2012 11:07:38 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id C40AA8FC08 for ; Mon, 30 Jan 2012 11:07:38 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q0UB7cVY005438 for ; Mon, 30 Jan 2012 11:07:38 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q0UB7bB8005436 for freebsd-ipfw@FreeBSD.org; Mon, 30 Jan 2012 11:07:37 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Jan 2012 11:07:37 GMT Message-Id: <201201301107.q0UB7bB8005436@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2012 11:07:39 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 41 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 30 16:36:34 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F24410656A4 for ; Mon, 30 Jan 2012 16:36:34 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id EDBB58FC1F for ; Mon, 30 Jan 2012 16:36:33 +0000 (UTC) Received: by iaeo4 with SMTP id o4so9062743iae.13 for ; Mon, 30 Jan 2012 08:36:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=sCxFCawLHQy9/jDiCKgRSbCOUAvuFffVD/6gLm/gpJ4=; b=BeXAua9KWb1DcHSaUpqsDZliVe+0nxMggSKWTTwP/kWz3MucHcdLp8trYxGJHVFshg YTOt3rPoAB3DNohzrM1bG9uPvILbTo8c2DWXaDfht7MOMYvYLzhhQS2PGzCjODDYceuC FYRutObqzIrwid3ZF27ZTrNLWteNTFNZBrtxw= MIME-Version: 1.0 Received: by 10.42.163.200 with SMTP id d8mr14601343icy.41.1327939905879; Mon, 30 Jan 2012 08:11:45 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Mon, 30 Jan 2012 08:11:45 -0800 (PST) In-Reply-To: References: Date: Mon, 30 Jan 2012 17:11:45 +0100 X-Google-Sender-Auth: idtg_N5Qf9PTdi0jn6rCfDgx3B0 Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Fwd: [PATCH] multiple instances of ipfw(4) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2012 16:36:34 -0000 Maybe this list is more appropriate! ---------- Forwarded message ---------- From: Ermal Lu=E7i Date: Mon, Jan 30, 2012 at 1:01 PM Subject: [PATCH] multiple instances of ipfw(4) To: freebsd-net , freebsd-hackers@freebsd.org Hello, from needs on pfSense a patch for allowing multiple intances of ipfw(4) in kernel to co-exist was developed. It can be found here https://raw.github.com/bsdperimeter/pfsense-tools/master/patches/RELENG_9_0= /CP_multi_instance_ipfw.diff It is used in conjuction with this tool https://raw.github.com/bsdperimeter/pfsense-tools/master/pfPorts/ipfw_conte= xt/files/ipfw_context.c It allows creation of contextes/instances and assignment of specific interfaces to specific contexts/instances. Surely i know that this is not the best way to implement generically but it gets the job done for us as it is, read below. What i would like to know is if there is interest to see such functionality in FreeBSD? I am asking first to see if there is some consensus about this as a feature, needed or not! If interest is shown i will transform the patch to allow: - ipfw(8) to manage the contextes create/destroy - ipfw(8) to manage interface membership. Closing the race of two parallell clients modifying different contextes. There is another design choice to be made about storing the membership of interfaces into contexts/instances, but i do not see that as blocking. It is quite handy feature, which can be exploited even to scale on SMP machines by extending it to bind a specific instance(with its interaces) to a specific CPU/core?! Comments/Feedback expected, Ermal From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 30 23:56:05 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02DE31065670 for ; Mon, 30 Jan 2012 23:56:05 +0000 (UTC) (envelope-from mailreturn@smtp.ymlp36.net) Received: from smtp.ymlp36.net (smtp.ymlp36.net [78.41.65.6]) by mx1.freebsd.org (Postfix) with SMTP id 3B7FF8FC17 for ; Mon, 30 Jan 2012 23:56:03 +0000 (UTC) Received: (qmail 5741 invoked by uid 0); 30 Jan 2012 23:29:22 -0000 Date: Tue, 31 Jan 2012 00:29:22 +0100 To: freebsd-ipfw@freebsd.org From: Hosiery Street Message-ID: X-YMLPcode: 8ryt+214+93816 MIME-Version: 1.0 Content-Type: text/plain; charset = "utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Happy Valentines Day X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sales@hosierystreet.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jan 2012 23:56:05 -0000 --------------------------------------------------------------------------= ------ This email newsletter was sent to you in graphical HTML format. If you're seeing this version, your email program prefers plain text = emails. You can read the original version online: http://ymlp288.net/zfdzl4 --------------------------------------------------------------------------= ------ Dear Customer Thank you so much for shopping at HosieryStreet.com As in every email (just a few times a year) we would like to remind you first and foremost that if you don't want to be on our sale list please click on the unsubscribe link below and you will be removed from this email list immediately. We do not want to SPAM anyone. PLEASE DO NOT REPORT THIS AS SPAM. ORDER TODAY FOR IT TO ARRIVE ON TIME!!! ( http://hosierystreet.com/&refer=3Dem_oth211 ) The following is a few of our HOTTEST items you may be interested in: 5 HOTTEST DEALS FROM BESTFORM ( http://www.hosierystreet.com/system/scripts/search.cgi?&p=3D1&&Company=3DB= estform&Submit2=3DSearch&action=3Dsearch&per_page=3D90&sort_by=3DBrand#Sea= rch&refer=3Dem_oth211 ). NOW ONLY: $7.99 Bestform Soft Cup Wide, camisole top band bottom . #6815 (6825) Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbf68= 25&refer=3Dem_oth211 )NOW ONLY: $7.99 Bestform INVISABRA Undewire #6502 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbf65= 02&refer=3Dem_oth211 ) NOW ONLY: $7.56 Bestform Relax Wear # 6088 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbf60= 88&refer=3Dem_oth211 )NOW ONLY: $8.99 Bestform Shirred Front Sport Bra. #6040 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbef6= 040&refer=3Dem_oth211 )NOW ONLY: $10.99 Bestform Posture back sport bra with double lined front Cris-Cross Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbef6= 092x&refer=3Dem_oth211 ) or click here for more BestForm Bras at Greatly Discounted Prices... ( http://www.hosierystreet.com/system/scripts/search.cgi?&p=3D1&&Company=3DB= estform&Submit2=3DSearch&action=3Dsearch&per_page=3D90&sort_by=3DBrand#Sea= rch&refer=3Dem_oth211 ) 2 HOT DEALS FROM Round the Clock ( http://www.hosierystreet.com/system/scripts/search.cgi?Company=3DRound+The= +Clock&Submit2=3DSearch&action=3Dsearch&refer=3Dem_oth211 )! NOW ONLY: $13.50 Round The Clock Classic Sheer, Girdle at the Top # 135 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Drtc1= 35&refer=3Dem_oth211 )NOW ONLY: $14.50 Round The Clock Girdle at the Top, Lycra Silky Sheer Leg Pantyhose # 137 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Drtc1= 37&refer=3Dem_oth211 ) or click here for more Round The Clock Deals... ( http://www.hosierystreet.com/system/scripts/search.cgi?Company=3DRound+The= +Clock&Submit2=3DSearch&action=3Dsearch&refer=3Dem_oth211 ) 6 MORE GREAT DEALS FROM VASSARETTE ( http://www.hosierystreet.com/system/scripts/search.cgi?&p=3D1&&txtSearch= =3D&search_type=3Din_all&category=3D21&Company=3DVassarette&price_from=3D&= price_to=3D&command=3Dadvance_search&action=3Dsearch&cmdGetCustomers=3DGet= +Result&per_page=3D90&sort_by=3DBrand#Search&refer=3Dem_oth211 ). NOW ONLY: $3.49 Vassarette Light Control Hi-Cut Brief Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D48-0= 01&refer=3Dem_oth211 )NOW ONLY: $3.99 Vassarette Light Control Brief Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D40-0= 01&refer=3Dem_oth211 )NOW ONLY: $5.99 Vassarette Soft & Simple Bright Lines Soft Cup. #70-177 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D70-1= 77&refer=3Dem_oth211 ) NOW ONLY: $9.89 Vassarette BodyCurves Microfiber Wireless Contour Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D72-2= 39&refer=3Dem_oth211 )NOW ONLY: $10.99 Vassarette RealSexy Her Secret Push Up UW Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D75-3= 20&refer=3Dem_oth211 ) NOW ONLY: $12.89 Vassarette BodyCurves Flir-T FF Contour UW. #75-818 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D75-8= 18&refer=3Dem_oth211 ) or click here for more ON SALE Vassarette Bras... ( http://www.hosierystreet.com/system/scripts/search.cgi?&p=3D1&&txtSearch= =3D&search_type=3Din_all&category=3D21&Company=3DVassarette&price_from=3D&= price_to=3D&command=3Dadvance_search&action=3Dsearch&cmdGetCustomers=3DGet= +Result&per_page=3D90&sort_by=3DBrand#Search&refer=3Dem_oth211 ) ------------------------- PLEASE CHECK OUT OUR VANITY FAIR BRA LINE!!! ( http://www.hosierystreet.com/system/scripts/search.cgi?txtSearch=3D&search= _type=3Din_all&category=3D21&Company=3DVanity+Fair&price_from=3D&price_to= =3D&command=3Dadvance_search&action=3Dsearch&cmdGetCustomers=3DGet+Result&= refer=3Dem_oth211 ) MORE INFO >>> CLICK HERE >>> ( http://www.hosierystreet.com/system/scripts/search.cgi?txtSearch=3D&search= _type=3Din_all&category=3D21&Company=3DVanity+Fair&price_from=3D&price_to= =3D&command=3Dadvance_search&action=3Dsearch&cmdGetCustomers=3DGet+Result&= refer=3Dem_oth211 ) _____________________________ Unsubscribe / Change Profile: http://ymlp288.net/ugmjwyjqgsgymquhgeuj Powered by YourMailingListProvider From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 31 08:53:31 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 736241065677; Tue, 31 Jan 2012 08:53:31 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 172038FC14; Tue, 31 Jan 2012 08:53:30 +0000 (UTC) Received: by iaeo4 with SMTP id o4so10620269iae.13 for ; Tue, 31 Jan 2012 00:53:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=EqXGhg4V/rlM5rzkuz1bpB1/onweZIQ8GUV+rTL+1WM=; b=OaG8+W7gGxNU3L3ohYS9bZ5RJk7YJZvxy/cxe/V2ms33HFoZc3ksAGi3v/fVQcIBZD oDV7DEH5MAdxJGJ0peNzB4vET7MR5MO9/1+8OUvb8Z7+lo24FgAVcrIIoBxo9JBhpRYc LSKsPNjYpl7Puf3/LjllK6ojHhm27ib+xcC9c= MIME-Version: 1.0 Received: by 10.50.88.163 with SMTP id bh3mr21138643igb.0.1328000010299; Tue, 31 Jan 2012 00:53:30 -0800 (PST) Sender: ermal.luci@gmail.com Received: by 10.231.134.198 with HTTP; Tue, 31 Jan 2012 00:53:30 -0800 (PST) In-Reply-To: References: Date: Tue, 31 Jan 2012 09:53:30 +0100 X-Google-Sender-Auth: zgwPPma5VZs-sQfTlSf4HGDFMZQ Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: vadim_nuclight@mail.ru Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: [PATCH] multiple instances of ipfw(4) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2012 08:53:31 -0000 On Mon, Jan 30, 2012 at 10:08 PM, Vadim Goncharov wrote: > Hi Ermal Lu?i! > > On Mon, 30 Jan 2012 13:01:13 +0100; Ermal Lu?i wrote about '[PATCH] multi= ple instances of ipfw(4)': > >> from needs on pfSense a patch for allowing multiple intances of >> ipfw(4) in kernel to co-exist was developed. >> It can be found here >> https://raw.github.com/bsdperimeter/pfsense-tools/master/patches/RELENG_= 9_0/CP_multi_instance_ipfw.diff > > Hmm, looking at the lines > > =A0 =A0 =A0 =A0if (oif && !(oif->if_flags & IFF_IPFW_FILTER)) > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0return (IP_FW_PASS); > > it appears that a patch is made against somewhat private, I couldn't find= that > in stock FreeBSD. Yeah its not so polished patch, and the remaining parts are still there in the same repo. Though its redundant to this patch. > >> It is used in conjuction with this tool >> https://raw.github.com/bsdperimeter/pfsense-tools/master/pfPorts/ipfw_co= ntext/files/ipfw_context.c >> It allows creation of contextes/instances and assignment of specific >> interfaces to specific contexts/instances. > > It is not clear how to add a rule to a specific instance with this progra= m. > Simple example: - Create a context with members ipfw_context -a testctx ipfw_context -a testctx -n myiface0 ipfw_context -a testctx -n myiface1 - Set the context ipfw_context -s testctx - Continue business as usual with ipfw/dummynet ipfw add .... ipfw pipe create .... ipfw table add .... >> Surely i know that this is not the best way to implement generically >> but it gets the job done for us as it is, read below. > >> What i would like to know is if there is interest to see such >> functionality in FreeBSD? > >> I am asking first to see if there is some consensus about this as a >> feature, needed or not! >> If interest is shown i will transform the patch to allow: >> - ipfw(8) to manage the contextes create/destroy >> - ipfw(8) to manage interface membership. Closing the race of two >> parallell clients modifying different contextes. > >> There is another design choice to be made about storing the membership >> of interfaces into contexts/instances, but i do not see that as >> blocking. > >> It is quite handy feature, which can be exploited even to scale on SMP >> machines by extending it to bind a specific instance(with its >> interaces) to a specific CPU/core?! > > Not so simple/straightforward questions. On the one hand, there are at le= ast > /some/ people who need this. So the ipfw 'call'/'return' actions were alr= eady > implemented, first appearing in 9.0-R / 8.3-R. And melifaro@ has patches = to > ipfw table allowing matching againt ifname, setting tablearg, which in > conjunction with 'call' or 'skipto' could be used to make essentially the= same > functionality as your proposed patch, already in stock FreeBSD. > Well it tends to get messy if you do not have a smart consumer handling the jumps. Its almost as reprogramming in ipfw language and somehow an admin needs to read this! The intention was be practical and allow easy troubleshooting. > On the other hand, both ipfw contexts and ipfw 'call' are very half-measu= res. > The only goal was to give people something right now, and see how much th= is > will be demanded, what feedback they'll give, etc. It is obvious there is= no > wide testing of 9.0-R (and 8.3-R too) right now. > It depends on the needs, surely and how colorful you want it to be. > What I mean here about half-measures? The ipfw 'call' is just a sketch of= my > old ideas to completely reorganize ipfw to support multiple rulesets. To = be > generic and Right Thing(tm), this is a HUGE work, because: > > - each ipfw chain becomes independent netgraph(4) node > - generic ng_pfil node usable not only for firewalls > - chains may be called from each other (see iptables) > - chains (actually netgraph nodes) may be bind to ifaces or any other pla= ce > - main unnamed chain is called from pfil as before > - rewrite ipfw & dummynet management from setsockopt() to netgraph messag= es > - completely rewrite ipfw dynamic rules to not conflict with multiple > =A0rulesets, as now they just jump to parent static rule (need to be more= like > =A0pf or iptables states). This item is hard but essential (you'll get a = mess > =A0jumping to another ruleset), and ipfw contexts don't handle ot > - while here, do other needed things, e.g. adding support for modules in = both > =A0kernel and userland, loadable opcodes, keywords, etc. > if you write a ip/tcp/udp/... stack on netgraph than i will write this :) Though its a matter of preference and how much work its needed to accomplish this! Surely ipfw has seen a lot of hacks in the past and will see in the future but i thik usability is more of a target rather than fancy design. But surely nothing should stop both ways. > Even if not add something like bpf, that's ipfw_ng is probably a more maj= or > change than both ipfw2 and ipfw3 :) > > Due to various reasons in my private life, I was unable to do it in my sp= are > time previous years. My new employer is a provider using FreeBSD on most > machines, so I hope I could finally begin doing it at work (and for work)= , > but only several months later after more actual tasks. > > But, all of this only makes sense to be generic for needs of broad masses= of > our users. And in pfSense ipfw users are actually only it's authors (all > others see web interface), so it's better and more practical to not rely = on > such complex solution, but rather on something more simple and specialize= d for > their needs. Such as your proposed ipfw contexts. > Surely enough you can take shortcuts in a customization but its not the point here. > -- > WBR, Vadim Goncharov. ICQ#166852181 =A0 =A0 =A0 mailto:vadim_nuclight@mai= l.ru > [Anti-Greenpeace][Sober FreeBSD zealot][http://nuclight.livejournal.com] > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --=20 Ermal From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 31 09:58:33 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17D17106564A for ; Tue, 31 Jan 2012 09:58:33 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 7CBAB8FC18 for ; Tue, 31 Jan 2012 09:58:32 +0000 (UTC) Received: from julian-mac.elischer.org (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id q0V9K72Z005065 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 31 Jan 2012 01:20:09 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4F27B293.5000605@freebsd.org> Date: Tue, 31 Jan 2012 01:21:23 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.25) Gecko/20111213 Thunderbird/3.1.17 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: vadim_nuclight@mail.ru, freebsd-net@freebsd.org, freebsd-hackers@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [PATCH] multiple instances of ipfw(4) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2012 09:58:33 -0000 On 1/31/12 12:53 AM, Ermal Luçi wrote: > On Mon, Jan 30, 2012 at 10:08 PM, Vadim Goncharov > wrote: >> Hi Ermal Lu?i! >> >> On Mon, 30 Jan 2012 13:01:13 +0100; Ermal Lu?i wrote about '[PATCH] multiple instances of ipfw(4)': >> >>> from needs on pfSense a patch for allowing multiple intances of >>> ipfw(4) in kernel to co-exist was developed. >>> It can be found here >>> https://raw.github.com/bsdperimeter/pfsense-tools/master/patches/RELENG_9_0/CP_multi_instance_ipfw.diff >> Hmm, looking at the lines >> >> if (oif&& !(oif->if_flags& IFF_IPFW_FILTER)) >> return (IP_FW_PASS); >> >> it appears that a patch is made against somewhat private, I couldn't find that >> in stock FreeBSD. > Yeah its not so polished patch, and the remaining parts are still > there in the same repo. > Though its redundant to this patch. > >>> It is used in conjuction with this tool >>> https://raw.github.com/bsdperimeter/pfsense-tools/master/pfPorts/ipfw_context/files/ipfw_context.c >>> It allows creation of contextes/instances and assignment of specific >>> interfaces to specific contexts/instances. >> It is not clear how to add a rule to a specific instance with this program. >> > Simple example: > - Create a context with members > ipfw_context -a testctx > ipfw_context -a testctx -n myiface0 > ipfw_context -a testctx -n myiface1 > - Set the context > ipfw_context -s testctx > - Continue business as usual with ipfw/dummynet > ipfw add .... > ipfw pipe create .... > ipfw table add .... > > >>> Surely i know that this is not the best way to implement generically >>> but it gets the job done for us as it is, read below. >>> What i would like to know is if there is interest to see such >>> functionality in FreeBSD? >>> I am asking first to see if there is some consensus about this as a >>> feature, needed or not! >>> If interest is shown i will transform the patch to allow: >>> - ipfw(8) to manage the contextes create/destroy >>> - ipfw(8) to manage interface membership. Closing the race of two >>> parallell clients modifying different contextes. >>> There is another design choice to be made about storing the membership >>> of interfaces into contexts/instances, but i do not see that as >>> blocking. >>> It is quite handy feature, which can be exploited even to scale on SMP >>> machines by extending it to bind a specific instance(with its >>> interaces) to a specific CPU/core?! >> Not so simple/straightforward questions. On the one hand, there are at least >> /some/ people who need this. So the ipfw 'call'/'return' actions were already >> implemented, first appearing in 9.0-R / 8.3-R. And melifaro@ has patches to >> ipfw table allowing matching againt ifname, setting tablearg, which in >> conjunction with 'call' or 'skipto' could be used to make essentially the same >> functionality as your proposed patch, already in stock FreeBSD. >> > Well it tends to get messy if you do not have a smart consumer > handling the jumps. > Its almost as reprogramming in ipfw language and somehow an admin > needs to read this! > The intention was be practical and allow easy troubleshooting. > >> On the other hand, both ipfw contexts and ipfw 'call' are very half-measures. >> The only goal was to give people something right now, and see how much this >> will be demanded, what feedback they'll give, etc. It is obvious there is no >> wide testing of 9.0-R (and 8.3-R too) right now. >> > It depends on the needs, surely and how colorful you want it to be. > >> What I mean here about half-measures? The ipfw 'call' is just a sketch of my >> old ideas to completely reorganize ipfw to support multiple rulesets. To be >> generic and Right Thing(tm), this is a HUGE work, because: >> >> - each ipfw chain becomes independent netgraph(4) node what about the existing netgraph ipfw node someone wrote a few years ago? I saw it but don't know if it was sent out publicly. >> - generic ng_pfil node usable not only for firewalls >> - chains may be called from each other (see iptables) >> - chains (actually netgraph nodes) may be bind to ifaces or any other place >> - main unnamed chain is called from pfil as before >> - rewrite ipfw& dummynet management from setsockopt() to netgraph messages >> - completely rewrite ipfw dynamic rules to not conflict with multiple >> rulesets, as now they just jump to parent static rule (need to be more like >> pf or iptables states). This item is hard but essential (you'll get a mess >> jumping to another ruleset), and ipfw contexts don't handle ot >> - while here, do other needed things, e.g. adding support for modules in both >> kernel and userland, loadable opcodes, keywords, etc. >> > if you write a ip/tcp/udp/... stack on netgraph than i will write this :) > Though its a matter of preference and how much work its needed to > accomplish this! > Surely ipfw has seen a lot of hacks in the past and will see in the > future but i thik usability is more of a target > rather than fancy design. > > But surely nothing should stop both ways. > >> Even if not add something like bpf, that's ipfw_ng is probably a more major >> change than both ipfw2 and ipfw3 :) >> >> Due to various reasons in my private life, I was unable to do it in my spare >> time previous years. My new employer is a provider using FreeBSD on most >> machines, so I hope I could finally begin doing it at work (and for work), >> but only several months later after more actual tasks. >> >> But, all of this only makes sense to be generic for needs of broad masses of >> our users. And in pfSense ipfw users are actually only it's authors (all >> others see web interface), so it's better and more practical to not rely on >> such complex solution, but rather on something more simple and specialized for >> their needs. Such as your proposed ipfw contexts. >> > Surely enough you can take shortcuts in a customization but its not > the point here. > >> -- >> WBR, Vadim Goncharov. ICQ#166852181 mailto:vadim_nuclight@mail.ru >> [Anti-Greenpeace][Sober FreeBSD zealot][http://nuclight.livejournal.com] >> >> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 1 23:41:08 2012 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07C86106564A; Wed, 1 Feb 2012 23:41:07 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 983B28FC15; Wed, 1 Feb 2012 23:41:07 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q11Nf7ZX033527; Wed, 1 Feb 2012 23:41:07 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q11Nf7PN033523; Wed, 1 Feb 2012 23:41:07 GMT (envelope-from linimon) Date: Wed, 1 Feb 2012 23:41:07 GMT Message-Id: <201202012341.q11Nf7PN033523@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/164690: [ipfw] Request for ipv6 support in ipfw tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Feb 2012 23:41:08 -0000 Old Synopsis: Request for ipv6 support in ipfw tables New Synopsis: [ipfw] Request for ipv6 support in ipfw tables Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Wed Feb 1 23:40:49 UTC 2012 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=164690 From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 2 20:07:55 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7941E106567A for ; Thu, 2 Feb 2012 20:07:55 +0000 (UTC) (envelope-from confirmation@bounces.fanbridge.com) Received: from r234-m4.fanbridge.com (r234-m4.fanbridge.com [174.37.97.234]) by mx1.freebsd.org (Postfix) with ESMTP id 4D20A8FC19 for ; Thu, 2 Feb 2012 20:07:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=r234-m4; d=fanbridge.com; h=From:To:Subject:Message-ID:Sender:List-Unsubscribe:List-Id:Date:Content-Type:MIME-Version; i=noreply@fanbridge.com; bh=b76UFu020CzMqztmyJ05mq3TSzk=; b=iGauXfB/1TgoJIPH/GKnrvBF4sht4sOhicGxfR8aGiBmsu79DQ2I6AUNPkWzhyyKzaI6O+bFAmUB 511rWzwSig== DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=r234-m4; d=fanbridge.com; b=Npyq5oYRZM5mjjLJ0V8Mlv/3nXX2iOiSiXvbip55NsGCiSIg7/h+dyEsvT6VUgftrWVprJoNF3RZ w7lrDtTCJw==; Received: from 127.0.0.1 (74.86.115.74) by r234-m4.fanbridge.com (PowerMTA(TM) v3.5r15) id h5bmhm1cibcm for ; Thu, 2 Feb 2012 14:32:49 -0500 (envelope-from ) From: "775HipHop.com" To: "freebsd-ipfw@freebsd.org" Message-ID: <0134a0f9b509829446dec808daa4a807@fanbridge.com> Sender: FanBridge X-fbridge-uid: 139058 X-fbridge-sid: 189247938 X-fbridge-cfc: ccPU75Xk3U1t2hXdBdhF2aecP4 X-fbridge-collection: collection-171300 Date: Thu, 02 Feb 2012 14:32:49 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Please confirm your email for 775HipHop.com's list X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2012 20:07:55 -0000 Congratulations! You have been added to the fan list! Click on the foll= owing link to confirm/add your details: http://fburls.com/updt/139058|ccPU75Xk3U1t2hXdBdhF2aecP4|freebsd-ipfw@fr= eebsd.org IMPORTANT: Be sure to add dhubbard775@gmail.com to your safe senders lis= t to ensure that you get these messages every time. This list is powered by FanBridge the world's leading provider of fan re= lationship management. With FanBridge, your information is kept safe and= never sold to third parties. http://www.fanbridge.com ---------------------------------------- 775HipHop.com sent this email to freebsd-ipfw@freebsd.org Questions? Contact dhubbard775@gmail.com or 775HipHop.com, c/o FanBridge= , Inc. - 14525 SW Millikan Way, #16910, Beaverton, Oregon 97005, United=20= States Update Your Information - http://fburls.com/updt/139058|ccPU75Xk3U1t2hXd= BdhF2aecP4|freebsd-ipfw@freebsd.org Unsubscribe - http://fburls.com/usub/139058|ccPU75Xk3U1t2hXdBdhF2aecP4|1= 89247938 Privacy Policy - http://www.fanbridge.com/learn/privacy.php This email message is powered by FanBridge: http://www.fanbridge.com/b.php?id=3D139058 Powering Valuable Fan Relationships ---------------------------------------- 775HipHop.com sent this email to freebsd-ipfw@freebsd.org Questions? Contact dhubbard775@gmail.com or 775HipHop.com, c/o FanBridge= , Inc. - 14525 SW Millikan Way, #16910, Beaverton, Oregon 97005, United=20= States Update Your Information - http://fburls.com/updt/139058|ccPU75Xk3U1t2hXd= BdhF2aecP4|freebsd-ipfw@freebsd.org Unsubscribe - http://fburls.com/usub/139058|ccPU75Xk3U1t2hXdBdhF2aecP4|1= 89247938 Privacy Policy - http://www.fanbridge.com/learn/privacy.php This email message is powered by FanBridge: http://www.fanbridge.com/b.php?id=3D139058 Powering Valuable Fan Relationships From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 2 23:34:00 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35287106564A for ; Thu, 2 Feb 2012 23:34:00 +0000 (UTC) (envelope-from korodev@gmail.com) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by mx1.freebsd.org (Postfix) with ESMTP id C679E8FC08 for ; Thu, 2 Feb 2012 23:33:59 +0000 (UTC) Received: by wibhn14 with SMTP id hn14so3482923wib.13 for ; Thu, 02 Feb 2012 15:33:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=wZBQ+C4ctMiNIv3AaGA8odm5lxOCtiUbqKWbqYOZwgY=; b=mCO6P6znK/JWP9xpwmsugX682XSmMztOK06rXrV8qBJV5+B8T7t+7Mku0NgEZx9hHf NRN30oCgM+kRUIg4R5NG1McAaXcNVjFij0H4OKpxg2ibsYOAOxgUEIBLdTKmHjwAnzmc /mM6lr/SorrI74zLBcxzVTPbQFC/LzqZircxE= Received: by 10.180.92.226 with SMTP id cp2mr7739672wib.10.1328223874341; Thu, 02 Feb 2012 15:04:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.180.7.135 with HTTP; Thu, 2 Feb 2012 15:04:14 -0800 (PST) From: Korodev Date: Thu, 2 Feb 2012 17:04:14 -0600 Message-ID: To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=UTF-8 Subject: IPFW Logging Details (tcpflags, packet length) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2012 23:34:00 -0000 On some of my older FreeBSD boxes, my IPFW deny log rules would generate logs that included the denied packet's len and flags when tcp, but I've noticed that my newer 8.2 box does not despite all the sysctl tunables looking the same. Is there something I'm missing here? Is this still possible? Thanks, \\korodev