From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 23 11:07:17 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C1BE2106564A for ; Mon, 23 Jul 2012 11:07:17 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id AAB498FC17 for ; Mon, 23 Jul 2012 11:07:17 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q6NB7HUJ090053 for ; Mon, 23 Jul 2012 11:07:17 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q6NB7Hak090051 for freebsd-ipfw@FreeBSD.org; Mon, 23 Jul 2012 11:07:17 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Jul 2012 11:07:17 GMT Message-Id: <201207231107.q6NB7Hak090051@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2012 11:07:17 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o bin/65961 ipfw [ipfw] ipfw2 memory corruption inside add() o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 46 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 25 18:21:07 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC4301065675; Wed, 25 Jul 2012 18:21:07 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 8A9D98FC1E; Wed, 25 Jul 2012 18:21:07 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 16CBA7300A; Wed, 25 Jul 2012 20:41:04 +0200 (CEST) Date: Wed, 25 Jul 2012 20:41:04 +0200 From: Luigi Rizzo To: net@freebsd.org Message-ID: <20120725184104.GA35621@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Cc: ipfw@freebsd.org Subject: PREVIEW - netmap-enabled ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2012 18:21:07 -0000 First and foremost: this is just a preview, only usable for testing now, but very very close to working. http://info.iet.unipi.it/~luigi/netmap/20120725-ipfw-user.tgz At the above URL you can find a userspace version of ipfw that reads packet from a netmap-compatible port (i.e. a netmap supported interface, or a port on a VALE bridge), and processes them through ipfw. It builds and run on both linux and FreeBSD, and uses the ipfw sources from today's HEAD. Right now the output is thrown away, but very shortly the code will also send it to an output port. The way it works is very simple (see also the picture below, drawn with http://www.asciiflow.com/ ) The formerly-kernel-side part of the firewall now runs in a userspace process (kipfw) and is controlled by a slightly modified ipfw that routes the sockopt commands over TCP to localhost:5555 (hardwired). kipfw stores rules persistently, and also reads from a netmap port. The configuration below shows how to use pkt-gen to test the performance of the system: you need to load the VALE-enabled netmap module, then in one terminal run "kipfw vale-test", in another terminal use the ipfw that you just built to add/delete/show stuff, and you can use netmap's pkt-gen to generate traffic. +------------+ | | +----------+ +----------------+ | | | | tcp/5555 | | | pkt-gen | | ipfw +--------->| kipfw | | | | | | | | | +----------+ +----------------+ +-----+------+ ^ | | | | | | v +-------+--------------------------+ | | | VALE bridge | | | +----------------------------------+ A quick test with a simple ruleset (4 rules, see below) shows a processing speed of 9-10Mpps on one core. I think there is still room for a little bit of improvement. Especially, we can now test the performance impact of changes to the firewall code without the need for complex hardware setups. > ipfw/ipfw show connected to 127.0.0.1:5555 00100 30628621 1408916566 count ip from any to any dst-ip 10.1.0.1 00100 0 0 count ip from any to any dst-ip 10.1.0.2 00100 0 0 count ip from any to any dst-ip 10.1.0.3 65535 30628621 1408916566 allow ip from any to any cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 26 05:34:54 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BBD2F106566B; Thu, 26 Jul 2012 05:34:54 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 8DD158FC08; Thu, 26 Jul 2012 05:34:54 +0000 (UTC) Received: from JRE-MBP-2.local (c-67-180-24-15.hsd1.ca.comcast.net [67.180.24.15]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id q6Q5Yic0048033 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 25 Jul 2012 22:34:46 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <5010D6EF.9040805@freebsd.org> Date: Wed, 25 Jul 2012 22:34:39 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: Luigi Rizzo References: <20120725184104.GA35621@onelab2.iet.unipi.it> In-Reply-To: <20120725184104.GA35621@onelab2.iet.unipi.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org, net@freebsd.org Subject: Re: PREVIEW - netmap-enabled ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2012 05:34:54 -0000 On 7/25/12 11:41 AM, Luigi Rizzo wrote: > First and foremost: this is just a preview, only usable for testing now, > but very very close to working. > > http://info.iet.unipi.it/~luigi/netmap/20120725-ipfw-user.tgz > > [...] > connected to 127.0.0.1:5555 > 00100 30628621 1408916566 count ip from any to any dst-ip 10.1.0.1 > 00100 0 0 count ip from any to any dst-ip 10.1.0.2 > 00100 0 0 count ip from any to any dst-ip 10.1.0.3 > 65535 30628621 1408916566 allow ip from any to any how do you handle rules that require to be able to see routes and socket owners? From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 26 05:54:59 2012 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 66805106566C; Thu, 26 Jul 2012 05:54:59 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 21F2F8FC08; Thu, 26 Jul 2012 05:54:59 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 8F1D47300A; Thu, 26 Jul 2012 08:14:56 +0200 (CEST) Date: Thu, 26 Jul 2012 08:14:56 +0200 From: Luigi Rizzo To: Julian Elischer Message-ID: <20120726061456.GB42206@onelab2.iet.unipi.it> References: <20120725184104.GA35621@onelab2.iet.unipi.it> <5010D6EF.9040805@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5010D6EF.9040805@freebsd.org> User-Agent: Mutt/1.4.2.3i Cc: ipfw@freebsd.org, net@freebsd.org Subject: Re: PREVIEW - netmap-enabled ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2012 05:54:59 -0000 On Wed, Jul 25, 2012 at 10:34:39PM -0700, Julian Elischer wrote: > On 7/25/12 11:41 AM, Luigi Rizzo wrote: > >First and foremost: this is just a preview, only usable for testing now, > >but very very close to working. > > > > http://info.iet.unipi.it/~luigi/netmap/20120725-ipfw-user.tgz > > > >[...] > > > connected to 127.0.0.1:5555 > > 00100 30628621 1408916566 count ip from any to any dst-ip 10.1.0.1 > > 00100 0 0 count ip from any to any dst-ip 10.1.0.2 > > 00100 0 0 count ip from any to any dst-ip 10.1.0.3 > > 65535 30628621 1408916566 allow ip from any to any > > > how do you handle rules that require to be able to see routes and > socket owners? I don't, at least not at this level. Let me elaborate. This project is meant to be used at very high packet rates, and in a router/switch environment. Think of it as a first-level defense against attacks, or a fast NAT device, wich deals with the bulk of the traffic and forwards the rest to the output interface or to the host stack. At the next hop (e.g. in the host stack), you can still have another firewall instance that does the more complex lookups such as socket owners, routes and whatnot. The next step would be to export forwarding information to userspace so you can lookup routes from there too. In principle it should not be that hard to listen for updates on the routing socket and rebuild a forwarding table to be looked up. One could devise a similar strategy for sockets, providing an interface for applications to query existing sockets (we have a sysctl now, i believe) and be notified of creations/destructions of sockets (similar to routing updates; i don't know if this is supported, though) and this will make socket info available to userspace too. cheers luigi