From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 18 11:59:29 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDFAF106564A; Sun, 18 Dec 2011 11:59:29 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id 5A5108FC14; Sun, 18 Dec 2011 11:59:29 +0000 (UTC) Received: from secured.by.ipfw.ru ([81.200.11.182] helo=ws.su29.net) by mail.ipfw.ru with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1RcFOq-0007C4-3p; Sun, 18 Dec 2011 15:59:28 +0400 Message-ID: <4EEDD566.8020609@FreeBSD.org> Date: Sun, 18 Dec 2011 15:58:30 +0400 From: "Alexander V. Chernikov" User-Agent: Thunderbird 2.0.0.24 (X11/20100515) MIME-Version: 1.0 To: Pawel Tyll References: <1674097252.20111218125051@nitronet.pl> In-Reply-To: <1674097252.20111218125051@nitronet.pl> X-Enigmail-Version: 0.96.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1263B90A65F93F6A1926774F" Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: IPFW tables, dummynet and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 11:59:29 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1263B90A65F93F6A1926774F Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Pawel Tyll wrote: > Hi lists, >=20 > Are there any plans to implement IPv6 tables in ipfw? It would seem > that our gov. may want to force us into IPv6 in 6 months ;) I've got working implementation for IPv4+IPv6 and interface tables: 15:56 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 2 list 1.2.3.4/30 0 2a02:978::/64 0 15:16 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 4 list em4/em4 20000 vlan144/vlan144 10000 vlan145/vlan145 11000 vlan146/vlan146 12000 I plan to commit it today/tomorrow. 8.2-S diff will be available, too >=20 > Cheers. >=20 >=20 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >=20 --------------enig1263B90A65F93F6A1926774F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7t1WkACgkQwcJ4iSZ1q2n7fQCeO4R+jxOx5fTRk6yHbXLjN9q+ CL8AniaLVYdkO6vVHUENaHzoA8BDLtFV =4S8L -----END PGP SIGNATURE----- --------------enig1263B90A65F93F6A1926774F-- From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 18 12:04:32 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 95BBC1065677 for ; Sun, 18 Dec 2011 12:04:32 +0000 (UTC) (envelope-from ptyll@nitronet.pl) Received: from mail.nitronet.pl (smtp.nitronet.pl [195.90.106.27]) by mx1.freebsd.org (Postfix) with ESMTP id 52EBF8FC0A for ; Sun, 18 Dec 2011 12:04:32 +0000 (UTC) Received: from mailnull by mail.nitronet.pl with virscan (Exim 4.76 (FreeBSD)) (envelope-from ) id 1RcFTj-000EgR-HD for freebsd-ipfw@freebsd.org; Sun, 18 Dec 2011 13:04:31 +0100 Date: Sun, 18 Dec 2011 13:04:21 +0100 From: Pawel Tyll X-Priority: 3 (Normal) Message-ID: <517758919.20111218130421@nitronet.pl> To: "Alexander V. Chernikov" In-Reply-To: <4EEDD566.8020609@FreeBSD.org> References: <1674097252.20111218125051@nitronet.pl> <4EEDD566.8020609@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: Nitronet.pl X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: ptyll@nitronet.pl X-SA-Exim-Scanned: No (on mail.nitronet.pl); SAEximRunCond expanded to false Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: IPFW tables, dummynet and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 12:04:32 -0000 Hi Alexander, > I've got working implementation for IPv4+IPv6 and interface tables: Lately every time I have some kind of problem, you come with a solution ready :> Thanks for the heads-up! From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 18 12:08:33 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B0C9106566B for ; Sun, 18 Dec 2011 12:08:33 +0000 (UTC) (envelope-from ptyll@nitronet.pl) Received: from mail.nitronet.pl (smtp.nitronet.pl [195.90.106.27]) by mx1.freebsd.org (Postfix) with ESMTP id D1C318FC13 for ; Sun, 18 Dec 2011 12:08:32 +0000 (UTC) Received: from mailnull by mail.nitronet.pl with virscan (Exim 4.76 (FreeBSD)) (envelope-from ) id 1RcFGd-000E5q-FZ for freebsd-ipfw@freebsd.org; Sun, 18 Dec 2011 12:50:59 +0100 Date: Sun, 18 Dec 2011 12:50:51 +0100 From: Pawel Tyll X-Priority: 3 (Normal) Message-ID: <1674097252.20111218125051@nitronet.pl> To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: Nitronet.pl X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: ptyll@nitronet.pl X-SA-Exim-Scanned: No (on mail.nitronet.pl); SAEximRunCond expanded to false Cc: Subject: IPFW tables, dummynet and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 12:08:33 -0000 Hi lists, Are there any plans to implement IPv6 tables in ipfw? It would seem that our gov. may want to force us into IPv6 in 6 months ;) Cheers. From owner-freebsd-ipfw@FreeBSD.ORG Sun Dec 18 18:34:50 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C68E1106566B; Sun, 18 Dec 2011 18:34:50 +0000 (UTC) (envelope-from kob6558@gmail.com) Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3AC9E8FC19; Sun, 18 Dec 2011 18:34:49 +0000 (UTC) Received: by wibhr1 with SMTP id hr1so1304874wib.13 for ; Sun, 18 Dec 2011 10:34:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eNzx5nQixBoipO0b9aDVBSWJO0XnePs1GC9xR6a3l4w=; b=PWCZIii8Ry8i+1g0WttMZoAZF0953ewZZN+loEX5TEoQeLCs2sj/7G+iMLc9HbGhxY Hr8LI4aQOtW0Z/crJKDMrHTpvYvaNzLrjA0GIkrhA/IbEB9FsiAaMatlv9gXKBrsl3Tc oXQAJ+2KxzarVIw1ulC9fNjki0aDmKp9XDYpQ= MIME-Version: 1.0 Received: by 10.180.95.136 with SMTP id dk8mr18270317wib.11.1324231758771; Sun, 18 Dec 2011 10:09:18 -0800 (PST) Received: by 10.223.158.129 with HTTP; Sun, 18 Dec 2011 10:09:18 -0800 (PST) In-Reply-To: <4EEDD566.8020609@FreeBSD.org> References: <1674097252.20111218125051@nitronet.pl> <4EEDD566.8020609@FreeBSD.org> Date: Sun, 18 Dec 2011 10:09:18 -0800 Message-ID: From: Kevin Oberman To: "Alexander V. Chernikov" Content-Type: text/plain; charset=ISO-8859-1 Cc: Pawel Tyll , freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW tables, dummynet and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Dec 2011 18:34:50 -0000 On Sun, Dec 18, 2011 at 3:58 AM, Alexander V. Chernikov wrote: > Pawel Tyll wrote: >> Hi lists, >> >> Are there any plans to implement IPv6 tables in ipfw? It would seem >> that our gov. may want to force us into IPv6 in 6 months ;) > I've got working implementation for IPv4+IPv6 and interface tables: > > 15:56 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 2 list > 1.2.3.4/30 0 > 2a02:978::/64 0 > > > 15:16 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 4 list > em4/em4 20000 > vlan144/vlan144 10000 > vlan145/vlan145 11000 > vlan146/vlan146 12000 > > > I plan to commit it today/tomorrow. > 8.2-S diff will be available, too > Thanks! I've been wanting this for a long time as working around it involved some really, really ugly hacks if you must support IPv6 (which we do). -- R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 19 11:07:08 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 352F61065673 for ; Mon, 19 Dec 2011 11:07:08 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 22B248FC1B for ; Mon, 19 Dec 2011 11:07:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBJB78uU010978 for ; Mon, 19 Dec 2011 11:07:08 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBJB77Gx010976 for freebsd-ipfw@FreeBSD.org; Mon, 19 Dec 2011 11:07:07 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Dec 2011 11:07:07 GMT Message-Id: <201112191107.pBJB77Gx010976@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Dec 2011 11:07:08 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o f kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 40 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 20 01:19:48 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BD79D1065672; Tue, 20 Dec 2011 01:19:48 +0000 (UTC) (envelope-from alancyang@gmail.com) Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42]) by mx1.freebsd.org (Postfix) with ESMTP id 2A8F08FC20; Tue, 20 Dec 2011 01:19:47 +0000 (UTC) Received: by wgbds13 with SMTP id ds13so8190388wgb.1 for ; Mon, 19 Dec 2011 17:19:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TwherHnjgX2eiyQ7NtZ7ZlRsoSC+A+Y0gC1NC0qbKrw=; b=L4suuLBxgu8OTS6HiIdQ3DRPn2Cam+ACZSYOOAiRObXRXXcXAegFIAnwGR0fYg4FCu MqinUgd2/sMEDKHHXoNZqDfEjyIPr9XyAh8Q3WKRXrQdOz0IMkkFNyYDSsuI7lHXea7W 2Nb/GZqQ7WAS7BVu8DZM0Oji3yjT5xBi5eiDA= MIME-Version: 1.0 Received: by 10.181.13.17 with SMTP id eu17mr111275wid.12.1324343986716; Mon, 19 Dec 2011 17:19:46 -0800 (PST) Received: by 10.216.168.195 with HTTP; Mon, 19 Dec 2011 17:19:46 -0800 (PST) In-Reply-To: References: <4EDE2739.1040104@FreeBSD.org> <20111208132002.R16498@sola.nimnet.asn.au> <20111209021345.Y11090@sola.nimnet.asn.au> Date: Mon, 19 Dec 2011 17:19:46 -0800 Message-ID: From: alan yang To: araujo@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org, Ian Smith , Sergey Matveychuk Subject: Re: ipfw dscp support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2011 01:19:48 -0000 Hi Marcelo, Thanks for the modip work! I am trying to see: - ipfw rule to divert traffic for ipfw-classifyd - ipfw-classifyd to classify specific traffic: ftp, sip, ...etc. - ipfw-classifyd to reinject traffic with sin-port set according to application flow (ftp == 1000, sip == 1001, ... ) - ipfw rule modip module to set DSCP - ipfw rule to send traffic to appropriate ALTQ queue with the following ipfw config: 1) pfctl to create ALTQ queue: pf.conf altq on em0 cbq bandwidth 5Mb queue { ftp } queue ftp bandwidth 10% cbq(default) reload pf.conf: pfctl -f /etc/pf.conf 2) ipfw-classifyd /usr/local/sbin/ipfw-classifyd p 7777 3) add ipfw rule /* enable ALTQ */ ipfw enable ALTQ ipfw add 100 divert 7777 tcp from any to any via em0 ipfw add 101 divert 7777 udp from any to any via em0 ipfw add 1010 modip dscp:AF11 ip from any to any out diverted ipfw add 1020 allow altq ftp ip from any to any out diverted ipfw add 64000 allow altq root_em0 ip from any to any via em0 (one_pass was enabled in above testing case. ) 65535 deny ip from any to any 4) observe packet flow through ALTQ ftp queue ipfw show - list the packets matched the firewall rule pfctel -s queue -v - view the packet captured by ALTQ queue With ICMP and FTP traffics: 1) icmp traffic matches rule 64000, traffic direct to root_em0 queue 2) ftp traffic matches rule 100, 1010, 1020, 64000 all match Not sure how to configure ipfw rules so that ftp traffic would match rule 100, 1010, 1020, but not 64000? Thanks in advance! alan From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 20 06:13:07 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 265AA106564A; Tue, 20 Dec 2011 06:13:07 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 654EB8FC08; Tue, 20 Dec 2011 06:13:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id pBK6D3UV094367; Tue, 20 Dec 2011 17:13:03 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 20 Dec 2011 17:13:03 +1100 (EST) From: Ian Smith To: alan yang In-Reply-To: Message-ID: <20111220153458.I64681@sola.nimnet.asn.au> References: <4EDE2739.1040104@FreeBSD.org> <20111208132002.R16498@sola.nimnet.asn.au> <20111209021345.Y11090@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, araujo@freebsd.org, Sergey Matveychuk Subject: Re: ipfw dscp support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2011 06:13:07 -0000 On Mon, 19 Dec 2011, alan yang wrote: > Hi Marcelo, > > Thanks for the modip work! I still haven't found any docs like the manpage patches or even a clear description. I know such things seem obvious to the programmer :) but a few examples really don't cut it for me, even with reference to RFCs, and I doubt this could ever be committed without manpage updates. > I am trying to see: > > - ipfw rule to divert traffic for ipfw-classifyd > - ipfw-classifyd to classify specific traffic: ftp, sip, ...etc. > - ipfw-classifyd to reinject traffic with sin-port set according > to application flow (ftp == 1000, sip == 1001, ... ) But you show no rules just above 1000 and 1001 that would match these? See below for some caveats re rule numbering when using divert sockets. > - ipfw rule modip module to set DSCP > - ipfw rule to send traffic to appropriate ALTQ queue > > with the following ipfw config: > > 1) pfctl to create ALTQ queue: pf.conf > altq on em0 cbq bandwidth 5Mb queue { ftp } > queue ftp bandwidth 10% cbq(default) > > reload pf.conf: pfctl -f /etc/pf.conf I really can't comment; no experience with pf or ALTQ, only dummynet. > 2) ipfw-classifyd > > /usr/local/sbin/ipfw-classifyd p 7777 > > 3) add ipfw rule > > /* enable ALTQ */ > ipfw enable ALTQ > > ipfw add 100 divert 7777 tcp from any to any via em0 > ipfw add 101 divert 7777 udp from any to any via em0 Rather than relying on 'diverted', you may do better using the general ipfw-classifyd method, eg where your protocol definitions point to (as per the examples) rule 1000, then after the divert rules, but before or at rule 1000 at latest, deal with traffic NOT diverted by classifyd, by allowing, denying, piping or perhaps best just 'skipto somewhere_else' to get it out of the way. Also be aware that the 'target' rule given to ipfw-classifyd is the rule number PAST which ipfw will resume scanning on a match, moreover that the next rule ipfw will run is not the NEXT rule, but the NEXT HIGHER NUMBERED rule - either after the divert rule or after the classify-match rule - so be sure not to use sets of same-numbered rules, either for diverts or as target rules. Not that you have here, but it's something to watch out for; if in doubt, space your rules further apart. > ipfw add 1010 modip dscp:AF11 ip from any to any out diverted > ipfw add 1020 allow altq ftp ip from any to any out diverted > ipfw add 64000 allow altq root_em0 ip from any to any via em0 > > (one_pass was enabled in above testing case. ) > 65535 deny ip from any to any I'm not sure whether ftp is going to work with this at all. Passive or active ftp? ./ipfw-classifyd/l7-protocols/protocols/ftp.pat begins: # FTP - File Transfer Protocol - RFC 959 # Pattern attributes: great notsofast fast # Protocol groups: document_retrieval ietf_internet_standard # Wiki: http://protocolinfo.org/wiki/FTP # # Usually runs on port 21. Note that the data stream is on a dynamically # assigned port, which means that you will need the FTP connection # tracking module in your kernel to usefully match FTP data transfers. What's this 'FTP connection tracking module' about? Do you have this? To me this sounds like Linux stuff, from whence the l7-protocols come, perhaps ip_conntrack_ftp as used with ip_tables?, but I admit to not following ipfw-classifyd in this respect well at all .. I think it only uses these for pattern-matching, but would be happy to be corrected. Eg modules on a linux firewall/nat box I'm doomed to keeping an eye on: ip_nat_quake3 1800 0 (unused) ip_conntrack_quake3 1896 1 ip_nat_proto_gre 1092 0 (unused) ip_nat_pptp 2148 0 (unused) ip_conntrack_pptp 2601 1 ip_conntrack_proto_gre 1973 0 ip_nat_mms 2672 0 (unused) ip_conntrack_mms 2832 1 ip_nat_irc 1968 0 (unused) ip_conntrack_irc 2768 1 ip_nat_h323 2372 0 (unused) ip_conntrack_h323 2153 1 ip_nat_ftp 2448 0 (unused) ip_conntrack_ftp 3568 1 iptable_nat 15878 8 ip_conntrack 18928 7 ip_tables 10976 14 > 4) observe packet flow through ALTQ ftp queue > > ipfw show - list the packets matched the firewall rule > pfctel -s queue -v - view the packet captured by ALTQ queue > > With ICMP and FTP traffics: > > 1) icmp traffic matches rule 64000, traffic direct to root_em0 queue As you've only diverted tcp and udp traffic above, no surprise there. > 2) ftp traffic matches rule 100, 1010, 1020, 64000 all match > > Not sure how to configure ipfw rules so that ftp traffic would match > rule 100, 1010, 1020, but not 64000? Me neither, sorry. Perhaps there's a way using stateful dynamic rules? cheers, Ian From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 20 16:56:42 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D54B1065670; Tue, 20 Dec 2011 16:56:42 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-qw0-f47.google.com (mail-qw0-f47.google.com [209.85.216.47]) by mx1.freebsd.org (Postfix) with ESMTP id AB2F78FC0A; Tue, 20 Dec 2011 16:56:41 +0000 (UTC) Received: by qadb17 with SMTP id b17so3760251qad.13 for ; Tue, 20 Dec 2011 08:56:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=KZ6moRf7Scqi/DxiWEbzyJH8Zy40e0L+ycMOnAMNilA=; b=DRpcBh97TNrqBl+khposxuEAwW3Q14Y+otU0LBQY8zMw614rnwJv1AWh8ot+uRZpMV 91wP+tG8fQcVllSdOjKMVDLul/cBQHCY/SZU/DP3MjuAUdvZgWm7SF0w554HNWJkCb4n N6iq5aqLOsTMhpKTiBV16uaJ1XW/eitfOrkS4= Received: by 10.224.1.136 with SMTP id 8mr3748484qaf.54.1324398849304; Tue, 20 Dec 2011 08:34:09 -0800 (PST) Received: from DataIX.net (24-247-9-230.dhcp.aldl.mi.charter.com. [24.247.9.230]) by mx.google.com with ESMTPS id dh10sm4488842qab.19.2011.12.20.08.34.05 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 20 Dec 2011 08:34:05 -0800 (PST) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id pBKGY17Q096088 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Dec 2011 11:34:02 -0500 (EST) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id pBKGXtrJ096087; Tue, 20 Dec 2011 11:33:55 -0500 (EST) (envelope-from jhell@DataIX.net) Date: Tue, 20 Dec 2011 11:33:55 -0500 From: Jason Hellenthal To: "Alexander V. Chernikov" Message-ID: <20111220163355.GA87584@DataIX.net> References: <1674097252.20111218125051@nitronet.pl> <4EEDD566.8020609@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4EEDD566.8020609@FreeBSD.org> Cc: Pawel Tyll , freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: IPFW tables, dummynet and IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2011 16:56:42 -0000 On Sun, Dec 18, 2011 at 03:58:30PM +0400, Alexander V. Chernikov wrote: > Pawel Tyll wrote: > > Hi lists, > > > > Are there any plans to implement IPv6 tables in ipfw? It would seem > > that our gov. may want to force us into IPv6 in 6 months ;) > I've got working implementation for IPv4+IPv6 and interface tables: > > 15:56 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 2 list > 1.2.3.4/30 0 > 2a02:978::/64 0 > > > 15:16 [0] zfsbase# /usr/obj/usr/src/sbin/ipfw/ipfw table 4 list > em4/em4 20000 > vlan144/vlan144 10000 > vlan145/vlan145 11000 > vlan146/vlan146 12000 > > > I plan to commit it today/tomorrow. > 8.2-S diff will be available, too > 1; -- ;s =; From owner-freebsd-ipfw@FreeBSD.ORG Tue Dec 20 18:40:15 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82465106564A for ; Tue, 20 Dec 2011 18:40:15 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 528668FC18 for ; Tue, 20 Dec 2011 18:40:15 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBKIeFJH010628 for ; Tue, 20 Dec 2011 18:40:15 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBKIeF5k010627; Tue, 20 Dec 2011 18:40:15 GMT (envelope-from gnats) Date: Tue, 20 Dec 2011 18:40:15 GMT Message-Id: <201112201840.pBKIeF5k010627@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= Cc: Subject: Re: kern/129093: [ipfw] ipfw nat must not drop packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Dec 2011 18:40:15 -0000 The following reply was made to PR kern/129093; it has been noted by GNATS. From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= To: bug-followup@FreeBSD.org, kes-kes@yandex.ru Cc: Subject: Re: kern/129093: [ipfw] ipfw nat must not drop packets Date: Tue, 20 Dec 2011 20:38:52 +0200 seems work on latest FreeBSD versions (9 and 10) From owner-freebsd-ipfw@FreeBSD.ORG Wed Dec 21 00:20:53 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03A2B106564A; Wed, 21 Dec 2011 00:20:53 +0000 (UTC) (envelope-from alancyang@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3775B8FC0A; Wed, 21 Dec 2011 00:20:51 +0000 (UTC) Received: by werb13 with SMTP id b13so4214170wer.13 for ; Tue, 20 Dec 2011 16:20:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=lWtTtSpYEJRs07NdewgEqGybAj4PvGg8B7oV0PsGvsw=; b=wKjQi8qcVX7uc2ZWLDzOVAm6vRYUWmsVenQJWeVVShuncMYWOcWpiOLs2u2bXxPJg4 4Ds981y+7G6QZGqpTJnFy0LwpI769Nl2jcj0JdjdCCShlpc++iypTt3vVvoJiTyR0bEV SlP27Ut+I5wGSg+EPi38GhpywCXl6C9aFUJys= MIME-Version: 1.0 Received: by 10.216.138.219 with SMTP id a69mr7849483wej.6.1324426851128; Tue, 20 Dec 2011 16:20:51 -0800 (PST) Received: by 10.216.168.195 with HTTP; Tue, 20 Dec 2011 16:20:51 -0800 (PST) In-Reply-To: <20111220153458.I64681@sola.nimnet.asn.au> References: <4EDE2739.1040104@FreeBSD.org> <20111208132002.R16498@sola.nimnet.asn.au> <20111209021345.Y11090@sola.nimnet.asn.au> <20111220153458.I64681@sola.nimnet.asn.au> Date: Tue, 20 Dec 2011 16:20:51 -0800 Message-ID: From: alan yang To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: Ian Smith , araujo@freebsd.org, Sergey Matveychuk Subject: Re: ipfw dscp support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Dec 2011 00:20:53 -0000 ----- ipfw add 100 divert 7777 tcp from any to any via em0ipfw add 101 divert 7777 udp from any to any via em0 ipfw add 500 allow altq root_em0 ip from any to any via em0 ipfw add 1010 modip dscp:AF11 ip from any to any out divertedipfw add 1020 allow altq ftp ip from any to any out diverted 65535 deny ip from any to any----- with the above ipfw rules, expect it would: 1) tcp, udp traffic divert to ipfw-classifyd, other traffic goes through altq root_em0 in matching rule 500 2) ipfw-classifyd reinject diverted traffic to match rule 1010, 1020 reading ipfw-classifyd divert socket sendto() with packet sin_port set to flow->if_fwrule (ftp == 1000 for instance), was expecting ipfw would continue with next rule which is 1010 in above. But ipfw seems to have continue with matching rule 500. wonder am i missing something ...? From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 22 20:36:14 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A3C61065672 for ; Thu, 22 Dec 2011 20:36:14 +0000 (UTC) (envelope-from mailreturn@smtp.ymlp36.net) Received: from smtp.ymlp36.net (smtp.ymlp36.net [78.41.65.6]) by mx1.freebsd.org (Postfix) with SMTP id 485D88FC15 for ; Thu, 22 Dec 2011 20:36:12 +0000 (UTC) Received: (qmail 18648 invoked by uid 0); 22 Dec 2011 20:09:28 -0000 Date: Thu, 22 Dec 2011 21:09:28 +0100 To: freebsd-ipfw@freebsd.org From: Hosiery Street Message-ID: <92eeef90ce70dcd9a4357c3345fc5a43@smtp.ymlp36.net> X-YMLPcode: 8ryt+206+93816 MIME-Version: 1.0 Content-Type: text/plain; charset = "utf-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Lingerie Sale - Limited Time Offer X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sales@hosierystreet.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2011 20:36:14 -0000 --------------------------------------------------------------------------= ------ This email newsletter was sent to you in graphical HTML format. If you're seeing this version, your email program prefers plain text = emails. You can read the original version online: http://ymlp223.net/zTi0Mw --------------------------------------------------------------------------= ------ Dear Customer HAPPY HOLIDAYS AND A GREAT NEW YEAR!!! DUE TO THE GREAT SUCCESS OF OUR BLACK FRIDAY FREE SHIPPING SALE WE HAVE DECIDED TO RENEW OUR FREE SHIPPING THRU THE NEW YEAR TILL TUESDAY JANUARY 3rd 2012!!! THAT'S RIGHT! HOSIERYSTREET.com IS OFFERING FREE SHIPPING on all orders over $25 in contiguous US TILL TUESDAY JANUARY 3rd!!! This is our way of saying THANK YOU to all of our loyal customers for making us the GREATEST HOSIERY and LINGERIE website on the net. As in every email we would like to remind you first and foremost that if you don't want to be on our sale list please click below to unsubscribe and you will be removed from the email list immediately. We do not want to SPAM anyone. PLEASE DO NOT REPORT THIS AS SPAM. HAPPY HOLIDAYS!!! ( http://hosierystreet.com/&refer=3Dem_1222i ) The following is a few of our HOTTEST items you may be interested in: 5 HOTTEST DEALS FROM BESTFORM ( http://www.hosierystreet.com/system/scripts/search.cgi?&p=3D1&&Company=3DB= estform&Submit2=3DSearch&action=3Dsearch&per_page=3D90&sort_by=3DBrand#Sea= rch&refer=3Dem_1222i ). NOW ONLY: $7.99 Bestform Soft Cup Wide, camisole top band bottom . #6825 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbf68= 25&refer=3Dem_1222i )NOW ONLY: $6.99 Bestform BodyCottons Underwire # 6826 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbf68= 26&refer=3Dem_1222i ) NOW ONLY: $7.56 Bestform Relax Wear # 6088 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbf60= 88&refer=3Dem_1222i )NOW ONLY: $8.99 Bestform Shirred Front Sport Bra. #6040 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbef6= 040&refer=3Dem_1222i )NOW ONLY: $9.99 Bestform Posture back sport bra with double lined front Cris-Cross Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Dbef6= 092x&refer=3Dem_1222i ) or click here for more BestForm Bras at Greatly Discounted Prices... ( http://www.hosierystreet.com/system/scripts/search.cgi?&p=3D1&&Company=3DB= estform&Submit2=3DSearch&action=3Dsearch&per_page=3D90&sort_by=3DBrand#Sea= rch&refer=3Dem_1222i ) DUE TO POULAR DEMAND NOW BACK IN STOCK!!! 2 HOT DEALS FROM Round the Clock ( http://www.hosierystreet.com/system/scripts/search.cgi?Company=3DRound+The= +Clock&Submit2=3DSearch&action=3Dsearch&refer=3Dem_1222i )! NOW ONLY: $12.99 Round The Clock Classic Sheer, Girdle at the Top # 135 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Drtc1= 35&refer=3Dem_1222i )NOW ONLY: $13.99 Round The Clock Girdle at the Top, Lycra Silky Sheer Leg Pantyhose # 137 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3Drtc1= 37&refer=3Dem_1222i ) or click here for more Round The Clock Deals... ( http://www.hosierystreet.com/system/scripts/search.cgi?Company=3DRound+The= +Clock&Submit2=3DSearch&action=3Dsearch&refer=3Dem_1222i ) 6 MORE GREAT DEALS FROM VASSARETTE ( http://www.hosierystreet.com/system/scripts/search.cgi?&p=3D1&&txtSearch= =3D&search_type=3Din_all&category=3D21&Company=3DVassarette&price_from=3D&= price_to=3D&command=3Dadvance_search&action=3Dsearch&cmdGetCustomers=3DGet= +Result&per_page=3D90&sort_by=3DBrand#Search&refer=3Dem_1222i ). NOW ONLY: $3.49 Vassarette Light Control Hi-Cut Brief Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D48-0= 01&refer=3Dem_1222i )NOW ONLY: $3.99 Vassarette Light Control Brief Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D40-0= 01&refer=3Dem_1222i )NOW ONLY: $5.99 Vassarette Soft& Simple Bright Lines Soft Cup. #70-177 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D70-1= 77&refer=3Dem_1222i ) NOW ONLY: $9.89 Vassarette BodyCurves Microfiber Wireless Contour Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D72-2= 39&refer=3Dem_1222i )NOW ONLY: $10.99 Vassarette RealSexy Her Secret Push Up UW Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D75-3= 20&refer=3Dem_1222i ) NOW ONLY: $12.89 Vassarette BodyCurves Flir-T FF Contour UW. #75-818 Click here for more info >>> ( http://www.hosierystreet.com/system/scripts/results_big.cgi?product=3D75-8= 18&refer=3Dem_1222i ) or click here for more ON SALE Vassarette Bras... ( http://www.hosierystreet.com/system/scripts/search.cgi?&p=3D1&&txtSearch= =3D&search_type=3Din_all&category=3D21&Company=3DVassarette&price_from=3D&= price_to=3D&command=3Dadvance_search&action=3Dsearch&cmdGetCustomers=3DGet= +Result&per_page=3D90&sort_by=3DBrand#Search&refer=3Dem_1222i ) ------------------------- PLEASE CHECK OUT OUR VANITY FAIR BRA LINE!!! ( http://www.hosierystreet.com/system/scripts/search.cgi?txtSearch=3D&search= _type=3Din_all&category=3D21&Company=3DVanity+Fair&price_from=3D&price_to= =3D&command=3Dadvance_search&action=3Dsearch&cmdGetCustomers=3DGet+Result&= refer=3Dem_1222i ) MORE INFO >>> CLICK HERE >>> ( http://www.hosierystreet.com/system/scripts/search.cgi?txtSearch=3D&search= _type=3Din_all&category=3D21&Company=3DVanity+Fair&price_from=3D&price_to= =3D&command=3Dadvance_search&action=3Dsearch&cmdGetCustomers=3DGet+Result&= refer=3Dem_1222i ) _____________________________ Unsubscribe / Change Profile: http://ymlp223.net/ugmjwyjqgsgymquhgesh Powered by YourMailingListProvider