From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 29 11:06:46 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9A5553B2 for ; Mon, 29 Apr 2013 11:06:46 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 8C8D5191F for ; Mon, 29 Apr 2013 11:06:46 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TB6kkv018163 for ; Mon, 29 Apr 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3TB6k5x018161 for freebsd-ipfw@FreeBSD.org; Mon, 29 Apr 2013 11:06:46 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 29 Apr 2013 11:06:46 GMT Message-Id: <201304291106.r3TB6k5x018161@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 11:06:46 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/177948 ipfw [ipfw] ipfw fails to parse port ranges (p1-p2) for udp o kern/176503 ipfw [ipfw] ipfw layer2 problem o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipfw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 41 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 2 07:21:17 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A9071C1E for ; Thu, 2 May 2013 07:21:17 +0000 (UTC) (envelope-from zf59352827serrofq-vcsj=serrofq.bet@bounce.twitter.com) Received: from ham-cannon.twitter.com (ham-cannon.twitter.com [199.59.148.231]) by mx1.freebsd.org (Postfix) with ESMTP id 92A431A78 for ; Thu, 2 May 2013 07:21:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; d=twitter.com; s=dkim-201303; c=relaxed/relaxed; q=dns/txt; i=@twitter.com; t=1367479264; h=From:Subject:Date:To; bh=a6uVpBpLv/HmsGO/TMopVwMY19I=; b=D61LjSWx4o1XgXbVvuZRdym35c1Uf79YOd9D6+lA184vgHMzPCNhH17EUgHncSdW wSFdNUDzci2WrldbSWmiaPHZmdvMsopSHI6GxlsyHGByNa9LByX9brsMCkJio+Oa AyjEsAXbUbq++5dOMEv4P/nfErNrevMj6F+wQtXDj4o=; X-MSFBL: ZnJlZWJzZC1pcGZ3QGZyZWVic2Qub3JnQHNtZjEtYmZxLTA4LXNyMS0xNjFARXZl cnl0aGluZ0A= Date: Thu, 02 May 2013 07:21:04 +0000 From: "jabbaarbarelly (via Twitter)" To: freebsd-ipfw@freebsd.org Subject: jabbaarbarelly sent you an invitation MIME-Version: 1.0 Message-Id: <20130502072117.A9071C1E@hub.freebsd.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 07:21:17 -0000 jabbaarbarelly sent you an invitation Twitter helps you stay connected with what's happening right now and with the people and organizations you care about. Accept invitation https://twitter.com/i/b6539abb-c1f7-4bde-9a46-1d7fef3ac4a6 ------------------------ This message was sent by Twitter on behalf of Twitter users who entered your email address to invite you to Twitter. Unsubscribe: https://twitter.com/i/o?t=1&iid=3d328716-0202-48fe-bf15-1ec6877bae40&uid=0&c=ZNV%2BN6G7N7j3H7rtctWKvJ7wxWM4f1r2qRqDmygVoPY%3D&nid=9+26 Need help? https://support.twitter.com From owner-freebsd-ipfw@FreeBSD.ORG Fri May 3 18:02:31 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 4C36FE15 for ; Fri, 3 May 2013 18:02:31 +0000 (UTC) (envelope-from korodev@gmail.com) Received: from mail-qc0-x230.google.com (mail-qc0-x230.google.com [IPv6:2607:f8b0:400d:c01::230]) by mx1.freebsd.org (Postfix) with ESMTP id 1594917FC for ; Fri, 3 May 2013 18:02:31 +0000 (UTC) Received: by mail-qc0-f176.google.com with SMTP id j3so336125qcs.21 for ; Fri, 03 May 2013 11:02:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:from:date:message-id:subject:to :content-type; bh=fgZd+B8zAZAk1Vq2c69Q0sPzdssZw7kuZ16lpO590ZE=; b=Q2pYY6m6Tz4dpJDcINptQu3EC1eczxqYowkircPedKlspqulpraxJXI98LsKYw5uQS PZ4IiigO0TmMdJKQqAtak7zTjnfER+o6Rv+8Yt39WJaJZYTqQnYVLSBoAgbSk7mgv0kj miSbrTIjtqpwJ9PQobfD6m8avy6TBu6fZGTJXs7E1auVC6nA4OaCvoQ7Q2Mg/GM4h0Km PAqL4XuLmeGvv2eI5yJzijCZi2fznNYe2ERwHeNGRlfyhLLSBlP/54nKwCyiIYPuBpVX IvOQKhs2ry937802Z21rInuNLNw/LK0683OUUklTx3NRnl4VzpEi19VBQOmakk6VoRxS LiRQ== X-Received: by 10.229.75.194 with SMTP id z2mr4869635qcj.65.1367604150593; Fri, 03 May 2013 11:02:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.126.98 with HTTP; Fri, 3 May 2013 11:02:09 -0700 (PDT) From: Korodev Date: Fri, 3 May 2013 14:02:09 -0400 Message-ID: Subject: IPFW Table Size To: "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 18:02:31 -0000 I currently have some firewall/routing devices running 8.2 and 9.1 with ipfw and I'm interested in blocking large groups of IP addresses. The man pages explain that the table lookup is implemented using a radix tree, but what I'm most interested in is the performance differences in using a single table as opposed to multiple tables split up with N addresses each and what the optimal N (number of addresses in each table) would be. \\korodev From owner-freebsd-ipfw@FreeBSD.ORG Fri May 3 19:33:16 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 059B6664 for ; Fri, 3 May 2013 19:33:16 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-oa0-f46.google.com (mail-oa0-f46.google.com [209.85.219.46]) by mx1.freebsd.org (Postfix) with ESMTP id C94C51F97 for ; Fri, 3 May 2013 19:33:15 +0000 (UTC) Received: by mail-oa0-f46.google.com with SMTP id j6so1994399oag.19 for ; Fri, 03 May 2013 12:33:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:x-gm-message-state; bh=rmWX8kHcGT+puvA37DifgYn8/RWehyjOxIqvMMy4cyk=; b=gqWn7MYL/mJ/qcvMhI51zDE7CXgDlfHnxOaOoNtMO4bOhEEUprJXdgqYTWeubDDFKk 5NFznqdB9c3fBulcPQ7naMCz54J1Ezia7u/3MlgTnJDxBFkB37uya0PS7PlzXA5e09i/ CpVJgnYYxCbdIRobmHrpf+19p+dG27PH/g5/A39O2hiPVnhEsINiHJPwLLU4E+ZvrQkE L5L9H+FMZD18ZuySB+Ya9GB72wuMCpbk00/CDZsZROFvwkzz05+YuNeLWwt3TLwCmpZ9 bHxhqd+pw2sFSUHMwsewSJaJPTydxXCb+H6gXsZ9e2AtU0yNE0/ecPfDr3OiZ2iXPkwj OEIA== MIME-Version: 1.0 X-Received: by 10.182.233.227 with SMTP id tz3mr3346310obc.23.1367609595104; Fri, 03 May 2013 12:33:15 -0700 (PDT) Received: by 10.60.140.229 with HTTP; Fri, 3 May 2013 12:33:14 -0700 (PDT) In-Reply-To: References: Date: Fri, 3 May 2013 12:33:14 -0700 Message-ID: Subject: Re: IPFW Table Size From: Michael Sierchio To: "freebsd-ipfw@freebsd.org" X-Gm-Message-State: ALoCoQlMHG/1OVa0gM0O8C3RBLOh3zA7UCD5sVqKwcQrxzguzSLLjJAl06kV2WxaTYqOMFMkvhCL Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 19:33:16 -0000 Better to have a single table - there's a min penalty for each lookup, + lg(n) or so. You can use the second parameter for interesting things, like a rule number to skipto E.g. ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup src-ip $table_number - M From owner-freebsd-ipfw@FreeBSD.ORG Fri May 3 19:43:52 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 4BEFB7F4 for ; Fri, 3 May 2013 19:43:52 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-qc0-x232.google.com (mail-qc0-x232.google.com [IPv6:2607:f8b0:400d:c01::232]) by mx1.freebsd.org (Postfix) with ESMTP id 11EFD1031 for ; Fri, 3 May 2013 19:43:52 +0000 (UTC) Received: by mail-qc0-f178.google.com with SMTP id c1so871807qca.23 for ; Fri, 03 May 2013 12:43:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=ARtixS9jNJGRszTIOI+zyTRixyZ0KfSF1VBd8DAhNT4=; b=Gxsd7rmS/DE4/obVk9L8olK8PlDp0PItZcu3lMf2uO4kFcnG4NSYECcpve5OyITRD2 UI3CvuSIjr8aju/EqzLtEGeYq1+BOoJn7R96FMbjk8d4kdUHI2IcTLbftvQ7gRuusSx+ u5ncHaEWpc6LACZiDd4VkGILldFx4fELUbEqfXvaJTOv2X33pYbegnw+krlWt6USFqjA 0Ta7u90G+YP/GENuK/+jqHc473fjDXF6kkhJI4gF7nwMKGKQHlSgfEXMnPWhrO6kzaaM kxYoRq1LDjdgIl+rs4asQi3pYyQ56/dYlZmeaa4Fo00DX1F1fGkJxqCBT38UKuJCJATp wIeA== MIME-Version: 1.0 X-Received: by 10.224.75.133 with SMTP id y5mr14246337qaj.78.1367610231586; Fri, 03 May 2013 12:43:51 -0700 (PDT) Received: by 10.49.1.44 with HTTP; Fri, 3 May 2013 12:43:51 -0700 (PDT) In-Reply-To: References: Date: Fri, 3 May 2013 12:43:51 -0700 Message-ID: Subject: Re: IPFW Table Size From: Freddie Cash To: Michael Sierchio Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 19:43:52 -0000 On Fri, May 3, 2013 at 12:33 PM, Michael Sierchio wrote: > Better to have a single table - there's a min penalty for each lookup, + > lg(n) or so. > > You can use the second parameter for interesting things, like a rule number > to skipto > > E.g. > > ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup > src-ip $table_number > First time I've seen the "lookup" syntax. There's next to no information on it in the ipfw man page, and the info there doesn't really make it clear how to use it. Can "lookup" syntax be used as an alternative to "table($number)" syntax (which is a pain to enter on command-lines)? Or are they completely separate? Can the same table be used for both styles of lookups? >From what I can tell, a table can only have 2 items per entry: IP and a number (the tablearg). So where is the "lookup" getting src-ip/dest-ip/etc from? What's the difference between: ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup src-ip $table_number ipfw add 05000 skipto tablearge ip from table\($table_number\) to my in recv $if_wan -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Fri May 3 20:13:48 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id C080E394 for ; Fri, 3 May 2013 20:13:48 +0000 (UTC) (envelope-from korodev@gmail.com) Received: from mail-qe0-f42.google.com (mail-qe0-f42.google.com [209.85.128.42]) by mx1.freebsd.org (Postfix) with ESMTP id 871321179 for ; Fri, 3 May 2013 20:13:48 +0000 (UTC) Received: by mail-qe0-f42.google.com with SMTP id 1so1135270qee.1 for ; Fri, 03 May 2013 13:13:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=pva1CbpHruYHHe+7JeA+vVgv36Z33qHqyQ6PNIMprtQ=; b=j0bkSxXvW8LJVo9QESFWM954eGDjjzvkKwbLBX/NiEhUfT6nJ05y0zCFK27wEdJjX+ C1OFLqiXU9EqcblSofiM+niIZ3bOGJJSO6bSbi6Z4aCjaIwXRxvPCRRZ3bljTCqTIe/3 4X3OgfOynUCh4ckVoqEYIeK+nY8TqS5paYEXouHNaRsp9WiHlFf7wjoENYljltwi6X9p g2cYnuUmG0KjolnrGE0UrA1buhyCgvmNi/ennUbnkaMo5Gy/K5SrFkEvYQ66Pd9FNJ2S t0USYDITcCDprsx8pPwBhBwMLGVxgTKJa300GTXcvuIv3I9DN3kqymxOYHoghBYg6FKJ BnqA== X-Received: by 10.229.75.194 with SMTP id z2mr5046154qcj.65.1367612021800; Fri, 03 May 2013 13:13:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.126.98 with HTTP; Fri, 3 May 2013 13:13:21 -0700 (PDT) In-Reply-To: References: From: Korodev Date: Fri, 3 May 2013 16:13:21 -0400 Message-ID: Subject: Re: IPFW Table Size To: Michael Sierchio Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 20:13:48 -0000 > Better to have a single table - there's a min penalty for each lookup, + > lg(n) or so. > > You can use the second parameter for interesting things, like a rule number > to skipto > > E.g. > > ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup > src-ip $table_number > Interesting. I've never seen that syntax before. I'm currently using a simple rule like this: ipfw add 05000 deny log ip from any to any src-ip table(2) Is there any reason I should avoid doing it this way? I should also note, I'm running ifpw inline (using if_bridge), and I'm easily looking at several thousand addresses in the table. Is there any known limitation on the number of entries in a table I should be aware of? It sounds like I'll be fine with dumping all addresses in a single table. \\korodev From owner-freebsd-ipfw@FreeBSD.ORG Fri May 3 20:13:48 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E2145395 for ; Fri, 3 May 2013 20:13:48 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com [209.85.219.50]) by mx1.freebsd.org (Postfix) with ESMTP id B06C8117A for ; Fri, 3 May 2013 20:13:48 +0000 (UTC) Received: by mail-oa0-f50.google.com with SMTP id l10so107487oag.37 for ; Fri, 03 May 2013 13:13:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type:x-gm-message-state; bh=aRPH7o0LVvE0CYyldkos2HhvZI97Kk7cymV1qbdkUMk=; b=LIQOijoSpNO1AvnitH2GYZYtwWeblltWb9roRirkfxxZvSgEQJNhYvF25DWvIWJfVK 6lVQaLkUeiXcm0kvxpxtSJ+AvdBkqcSCOmTnS6w2t2z/P7tex0maYzT8Et7915pRB/wK lpmzbHCffIwFhEcZGHsabAawiAev4YJTcHXrxUH9eQsu7/Wh6atbM7ra6r3gIpciS1TY G7MkWXzlEJCM//Fitv8Kd1wfjRsp7k6NMmBZ50Nm17TjXHpDEWP9njq6T4wRHeOP24g0 Lw/FINjXwF6pQWiCgQC76xNSGzAvUWKz/PHMCP94pptz9fL6qdP4OZpZ+u54ZGfwQ8vE xq2w== MIME-Version: 1.0 X-Received: by 10.60.42.135 with SMTP id o7mr3318434oel.97.1367612027838; Fri, 03 May 2013 13:13:47 -0700 (PDT) Received: by 10.60.140.229 with HTTP; Fri, 3 May 2013 13:13:47 -0700 (PDT) In-Reply-To: References: Date: Fri, 3 May 2013 13:13:47 -0700 Message-ID: Subject: Re: IPFW Table Size From: Michael Sierchio To: "freebsd-ipfw@freebsd.org" X-Gm-Message-State: ALoCoQkXxHFnHlEbX5nDeYhjzT10ULK99rQTThbSc7kT+H3lPsN2S8LEvPjfzucS7NwDcR+EebjC Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 20:13:48 -0000 The syntax is described in the man page, but there are no examples. My example works ;-) The first entry is a network, which might have a /32, in which case it's a single IP addr. On Fri, May 3, 2013 at 12:43 PM, Freddie Cash wrote: > > On Fri, May 3, 2013 at 12:33 PM, Michael Sierchio wrote: > >> Better to have a single table - there's a min penalty for each lookup, + >> lg(n) or so. >> >> You can use the second parameter for interesting things, like a rule >> number >> to skipto >> >> E.g. >> >> ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup >> src-ip $table_number >> > > First time I've seen the "lookup" syntax. There's next to no information > on it in the ipfw man page, and the info there doesn't really make it clear > how to use it. > > Can "lookup" syntax be used as an alternative to "table($number)" syntax > (which is a pain to enter on command-lines)? Or are they completely > separate? Can the same table be used for both styles of lookups? > > From what I can tell, a table can only have 2 items per entry: IP and a > number (the tablearg). So where is the "lookup" getting src-ip/dest-ip/etc > from? > > What's the difference between: > > ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup > src-ip $table_number > > ipfw add 05000 skipto tablearge ip from table\($table_number\) to my in > recv $if_wan > > -- > Freddie Cash > fjwcash@gmail.com > From owner-freebsd-ipfw@FreeBSD.ORG Fri May 3 20:16:01 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 9C092450 for ; Fri, 3 May 2013 20:16:01 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) by mx1.freebsd.org (Postfix) with ESMTP id 69A6011A2 for ; Fri, 3 May 2013 20:16:01 +0000 (UTC) Received: by mail-ob0-f182.google.com with SMTP id eh20so1726740obb.41 for ; Fri, 03 May 2013 13:16:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=8VE9ha3vdUwBuWxcwT57PZ3YQgTKj87fEjtIK/jO/uU=; b=GDEpyE5gQe+629z83EKHkbPiTRoFJeqA3r2fVsRSGaN3I1+AmQ05zif+aVsoWdypXa 7rSJVUfiAeX+ldEHrb91v1QgZlehWVii0F/EA6n0I4PHwlNBb8u1rHwp4Nysm0h1N+9o ni5rGS7JbveH9t7KNtNFuI/mEUhTVDPAqfs3kC1ISnjclat/KNJ/jinFDnwEEEP0x+BI cQVnrP1Ht6bPneYQLKTH8nlVLucKmUp5dKntm09GBehDl5TbFVXarF9t7HUCI2dEJ/6D pCWWkBD15tgYYPSlzVfWZeuDgKmg6v7APssNY/67t9daROiSIxrkzvz00dWBuEQYQdCz 7PBw== MIME-Version: 1.0 X-Received: by 10.182.80.35 with SMTP id o3mr3398914obx.13.1367612161039; Fri, 03 May 2013 13:16:01 -0700 (PDT) Received: by 10.60.140.229 with HTTP; Fri, 3 May 2013 13:16:00 -0700 (PDT) In-Reply-To: References: Date: Fri, 3 May 2013 13:16:00 -0700 Message-ID: Subject: Re: IPFW Table Size From: Michael Sierchio To: Korodev X-Gm-Message-State: ALoCoQkvCNanzrcYrv5pLDHL5hUdbNOOde/UT87BzWWEeTnJXL2XimJpqFvIWsy1J8l9x/0BFQoR Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 20:16:01 -0000 Oh, it's not a bad idea to have different tables for different purposes - a whitelist and a blacklist, for example. The syntax I'd use in your example is ipfw add 05000 deny log ip from table\(2\) to any and probably ipfw add 05000 deny log ip from table\(2\) to any in recv $interface From owner-freebsd-ipfw@FreeBSD.ORG Fri May 3 20:35:08 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A67EADC3 for ; Fri, 3 May 2013 20:35:08 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-qe0-f49.google.com (mail-qe0-f49.google.com [209.85.128.49]) by mx1.freebsd.org (Postfix) with ESMTP id 6B2EC12AB for ; Fri, 3 May 2013 20:35:08 +0000 (UTC) Received: by mail-qe0-f49.google.com with SMTP id 7so1124029qeb.36 for ; Fri, 03 May 2013 13:35:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=seguMQbQVFWB6EpdNEyVuHcG8UrCWX+jLpn5qni5R5M=; b=o8smWhxqUejqS+Na9iIsrpW0vxmpqoFxa7YODdRm6p9KdTRCwXml6/7TsC3IzyZqxr hcixf54VDnz4n5gwW2yLmMQKbMs9OshyEIWN7hiqcquTBm4UrrViqsCLH+GtVkpIf/KV oqA41EP6dUtjkfgE7jhiviOEPO0t6Qxmf38aQ5IJyxjyeJDlrmcYAfTsxarwAXQahtdw EmMslh4kLpXGVMKWy/kW5AFb0NOVdvrc6SYy5e0FGoqBmEeSP5skhOy2DpeUD7YYLLez CKx3Ix8TIZp1OTXgeXhfquJX2S5VsQync2gjl1XgfHPie9GGiDyi7ZaUIe8HaVFIsssJ FDkw== MIME-Version: 1.0 X-Received: by 10.229.106.17 with SMTP id v17mr3266260qco.117.1367613300840; Fri, 03 May 2013 13:35:00 -0700 (PDT) Received: by 10.49.1.44 with HTTP; Fri, 3 May 2013 13:35:00 -0700 (PDT) In-Reply-To: References: Date: Fri, 3 May 2013 13:35:00 -0700 Message-ID: Subject: Re: IPFW Table Size From: Freddie Cash To: Michael Sierchio Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-ipfw@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 20:35:08 -0000 On Fri, May 3, 2013 at 1:13 PM, Michael Sierchio wrote: > The syntax is described in the man page, but there are no examples. My > example works ;-) > > Yes, I know it's in the man page, but the description is beyond vague, and there are no usage examples, nor comparisons to the "normal" table(number) syntax. Hence my questions. :) > The first entry is a network, which might have a /32, in which case it's a > single IP addr. > > > > What's the difference between: > > > > ipfw add 05000 skipto tablearg ip from any to me in recv $if_wan lookup > > src-ip $table_number > > > > ipfw add 05000 skipto tablearge ip from table\($table_number\) to my in > > recv $if_wan > So, the difference would be that you can use table(number) anywhere you can use an IP, but "lookup" syntax goes at the end of a rule and the result of the lookup is then put into the normal rule in the field specified? Meaning, the two examples above are identical (minus my just-noticed typos)? Basically, the "lookup" syntax is a way of doing variable expansion in the normal rule syntax. 1. Do the lookup, get a result 2. Replace in main rule with result from lookup 3. Evaluate the rule and compare the packet to it. Interesting. This would cleanup the syntax of my rules-creation scripts and make it easier to manually type rules at the CLI. Anyone feel like updating the man page to make the syntax easier to understand, and to provide some usage examples? ;) -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Sat May 4 21:24:26 2013 Return-Path: Delivered-To: freebsd-ipfw@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 378A4B7; Sat, 4 May 2013 21:24:26 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 1043BFFC; Sat, 4 May 2013 21:24:26 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r44LOPZu078095; Sat, 4 May 2013 21:24:25 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r44LOPF3078094; Sat, 4 May 2013 21:24:25 GMT (envelope-from linimon) Date: Sat, 4 May 2013 21:24:25 GMT Message-Id: <201305042124.r44LOPF3078094@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Subject: Re: kern/178317: [ipfw] ipfw options need to specifed in specific order X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 May 2013 21:24:26 -0000 Old Synopsis: IPFW options need to specifed in specific order New Synopsis: [ipfw] ipfw options need to specifed in specific order Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sat May 4 21:23:57 UTC 2013 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=178317