From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 27 17:30:13 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C386F106566C for ; Sun, 27 Feb 2011 17:30:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B29328FC08 for ; Sun, 27 Feb 2011 17:30:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p1RHUDju024145 for ; Sun, 27 Feb 2011 17:30:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p1RHUDrf024142; Sun, 27 Feb 2011 17:30:13 GMT (envelope-from gnats) Date: Sun, 27 Feb 2011 17:30:13 GMT Message-Id: <201102271730.p1RHUDrf024142@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Jeff Kletsky Cc: Subject: Re: kern/143653: [ipfw] [patch] ipfw nat redirect_port "buf is too small" error X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jeff Kletsky List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Feb 2011 17:30:13 -0000 The following reply was made to PR kern/143653; it has been noted by GNATS. From: Jeff Kletsky To: bug-followup@FreeBSD.org, dima_bsd@inbox.lv Cc: Subject: Re: kern/143653: [ipfw] [patch] ipfw nat redirect_port "buf is too small" error Date: Sun, 27 Feb 2011 09:08:58 -0800 Confirmed to be a problem on RELEASE-8.2 as well. 17 redirect_port lines are too many, reducing to 10 allowed firewall to load. Machine is a firewall and redirects ssh to several internal hosts, as well as other services for several domains. This is *exactly* the kind of host I would like to be able to maintain solely with freebsd-update without having sources and compilers on the filesystem. From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 27 21:10:11 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DD4B31065678 for ; Sun, 27 Feb 2011 21:10:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CAE4E8FC12 for ; Sun, 27 Feb 2011 21:10:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p1RLABR2062416 for ; Sun, 27 Feb 2011 21:10:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p1RLABxk062415; Sun, 27 Feb 2011 21:10:11 GMT (envelope-from gnats) Date: Sun, 27 Feb 2011 21:10:11 GMT Message-Id: <201102272110.p1RLABxk062415@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Jeff Kletsky Cc: Subject: Re: kern/143653: [ipfw] [patch] ipfw nat redirect_port "buf is too small" error X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jeff Kletsky List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Feb 2011 21:10:11 -0000 The following reply was made to PR kern/143653; it has been noted by GNATS. From: Jeff Kletsky To: bug-followup@FreeBSD.org, dima_bsd@inbox.lv Cc: Subject: Re: kern/143653: [ipfw] [patch] ipfw nat redirect_port "buf is too small" error Date: Sun, 27 Feb 2011 13:01:12 -0800 Under some situations, can cause *kernel panic* with no automatic reboot (just hangs on screen, HW reset required). Additionally, the firewall script being executed has zero-byte length on reboot. In my case, it was 15 redirect rules entered. RELEASE-8.2 amd64 Copying by hand from the screen: unknown redirect mode: 0 panic: LibAliasRedirect* returned NULL cpuid = 0 The stack backtrace includes: kdb_backtrace+0x5e panic+0x187 ipfw_nat_cfg+0x35a ipfw_ctl+0x211 rip_ctloutput+0x9f sosetopt+0x42 kern_setsockopt+0xc0 setsockopt+0x22 syscallenter+0x1e5 syscall+0x4b Xfast_syscall+0xe2 Kernel dump and configuration files now available in http://wildside.wagsky.com/pr143653/ Should be able to replicate by installing RELEASE-8.2, those config files (adjusting as needed for the two network interfaces) and copying twoport.crashes to the target of the twoport symlink. [root@port7 /var/crash]# uname -a FreeBSD port7.pn.wagsky.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 28 11:07:01 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AC941065670 for ; Mon, 28 Feb 2011 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 001528FC16 for ; Mon, 28 Feb 2011 11:07:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p1SB70s9011997 for ; Mon, 28 Feb 2011 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p1SB70ij011995 for freebsd-ipfw@FreeBSD.org; Mon, 28 Feb 2011 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Feb 2011 11:07:00 GMT Message-Id: <201102281107.p1SB70ij011995@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/153415 ipfw [ipfw] [patch] Port numbers always zero in dynamic IPF o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code o kern/152887 ipfw [ipfw] Can not set more then 1024 buckets with buckets o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/150798 ipfw [ipfw] ipfw2 fwd rule matches packets but does not do o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o kern/122109 ipfw [ipfw] ipfw nat traceroute problem s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 78 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 28 19:18:39 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 742AB106564A for ; Mon, 28 Feb 2011 19:18:39 +0000 (UTC) (envelope-from hizel@vyborg.ru) Received: from mail.vyborg.ru (mail.vyborg.ru [195.177.105.12]) by mx1.freebsd.org (Postfix) with ESMTP id D7E5C8FC08 for ; Mon, 28 Feb 2011 19:18:38 +0000 (UTC) Received: from [192.168.1.115] ([195.177.104.24]) by mail.vyborg.ru (8.14.4/8.14.4) with ESMTP id p1SJ9jLc007188 for ; Mon, 28 Feb 2011 22:09:47 +0300 (MSK) (envelope-from hizel@vyborg.ru) Message-ID: <4D6BF033.1000703@vyborg.ru> Date: Mon, 28 Feb 2011 21:57:55 +0300 From: Ildar Hizbulin User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101211 Lightning/1.0b3pre Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: features request for kernel's libalias and ipfw nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2011 19:18:39 -0000 > - ability to see actual content of libalias nat table (ipfw nat 1 show table) I'm working on it :-) From owner-freebsd-ipfw@FreeBSD.ORG Wed Mar 2 21:44:51 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64A35106566B; Wed, 2 Mar 2011 21:44:51 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3CB338FC0A; Wed, 2 Mar 2011 21:44:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p22LipuH058211; Wed, 2 Mar 2011 21:44:51 GMT (envelope-from bz@freefall.freebsd.org) Received: (from bz@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p22LipgX058207; Wed, 2 Mar 2011 21:44:51 GMT (envelope-from bz) Date: Wed, 2 Mar 2011 21:44:51 GMT Message-Id: <201103022144.p22LipgX058207@freefall.freebsd.org> To: bz@FreeBSD.org, freebsd-ipfw@FreeBSD.org, bz@FreeBSD.org From: bz@FreeBSD.org Cc: Subject: Re: kern/145733: [ipfw] [patch] ipfw flaws with ipv6 fragments X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2011 21:44:51 -0000 Synopsis: [ipfw] [patch] ipfw flaws with ipv6 fragments Responsible-Changed-From-To: freebsd-ipfw->bz Responsible-Changed-By: bz Responsible-Changed-When: Wed Mar 2 21:44:09 UTC 2011 Responsible-Changed-Why: *sigh* I'll take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=145733 From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 04:31:42 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CA0B01065672 for ; Fri, 4 Mar 2011 04:31:42 +0000 (UTC) (envelope-from john@traktor.dnepro.net) Received: from smtp-out.dnepro.net (smtp-out.dnepro.net [195.24.131.41]) by mx1.freebsd.org (Postfix) with ESMTP id 50B3A8FC0A for ; Fri, 4 Mar 2011 04:31:41 +0000 (UTC) Received: from traktor.dnepro.net (localhost [127.0.0.1]) by traktor.dnepro.net (8.14.3/8.14.3) with ESMTP id p243td8m059773 for ; Fri, 4 Mar 2011 05:55:39 +0200 (EET) (envelope-from john@traktor.dnepro.net) Received: (from john@localhost) by traktor.dnepro.net (8.14.3/8.14.3/Submit) id p243tc7S059772 for freebsd-ipfw@freebsd.org; Fri, 4 Mar 2011 05:55:38 +0200 (EET) (envelope-from john) Date: Fri, 4 Mar 2011 05:55:38 +0200 From: Eugene Perevyazko To: freebsd-ipfw@freebsd.org Message-ID: <20110304035538.GA54753@traktor.dnepro.net> Mail-Followup-To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Subject: ipfw fwd and multicast mac address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2011 04:31:42 -0000 Hi I've stumbled on a pretty strange issue in combination of ipfw fwd rules with multicast. The system is 7-Stable. It runs ospf, that uses MC groups 224.0.0.5 and 224.0.0.6. Normally those groups use dst mac addresses of 01:00:5e:00:00:05 and 01:00:5e:00:00:06 respectively where last 4 bytes are taken from group's IP. Then I needed to add some fwd rules like this: fwd 192.168.31.14 out xmit em0 (em0 is the interface on which ospf is running) Somehow after that MC dst mac has got 2 bytes changed: 224.0.0.5 got 01:00:5e:a8:1f:05 and 224.0.0.6 got 01:00:5e:a8:1f:06 "a8:1f" clearly is "168.31" from fwd destination. Of course this means no ospf anymore. I've fixed this by adding "pass dst-ip 224.0.0.0/8" before "fwd" but it has made my evening much more lively until I figured what's happening. The question is if this is intended consequence and if yes then why change only two bytes instead of four (irony intended)? -- Eugene Perevyazko From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 19:05:40 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 890B11065670 for ; Fri, 4 Mar 2011 19:05:40 +0000 (UTC) (envelope-from bd@dax.nu) Received: from xenis.dax.nu (xenis.dax.nu [194.68.48.87]) by mx1.freebsd.org (Postfix) with ESMTP id 168088FC17 for ; Fri, 4 Mar 2011 19:05:39 +0000 (UTC) Received: from kali.pri (ua-83-227-152-132.cust.bredbandsbolaget.se [83.227.152.132]) (authenticated bits=0) by xenis.dax.nu (8.14.3/8.14.1/SuSE Linux 0.8) with ESMTP id p24IpYkq024437 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 4 Mar 2011 19:51:35 +0100 To: From: Bjorn Danielsson Date: Fri, 04 Mar 2011 19:51:34 +0100 Message-ID: User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (xenis.dax.nu [194.68.48.87]); Fri, 04 Mar 2011 19:51:35 +0100 (CET) Cc: Sergey Matveychuk Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2011 19:05:40 -0000 Sergey Matveychuk wrote: > Here is my patch for IPv6 divert. It works for me, but it should be > reviewed and may be improved. > > I've touched nd6.c to prevent looping packet to local address (loopback). > > Any questions are welcome. I needed one more change for my "options IPDIVERT" enabled kernel: #include "opt_inet6.h" which I put right after "opt_inet.h" under the !defined(KLD_MODULE) condition at the beginning of netinet/ip_divert.c. Without this change my divert socket could read but not write IPv6 packets. I am not familiar with the FreeBSD kernel so this was based on a guess after noticing how INET6 was handled in other places. Both copying the incoming sockaddr_in and creating a new one using INADDR_ANY seems to work in sendto(), after this change. I haven't tried any packet rewriting yet but I'll be testing that very soon. Many thanks Sergey for contributing this patch! From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 19:32:24 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0D9F106566B for ; Fri, 4 Mar 2011 19:32:24 +0000 (UTC) (envelope-from cummingsj@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5C1FE8FC0A for ; Fri, 4 Mar 2011 19:32:23 +0000 (UTC) Received: by vws16 with SMTP id 16so2666102vws.13 for ; Fri, 04 Mar 2011 11:32:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=4fsMUTVRJrXpSs+pE5kzRPfw58pTlmOlx25/rsxD0Wo=; b=M3oC/K5xPHSEP6i16mIi9YuXneXe/O38NYux9I1HC6b3Z/eVXhIpYjXVPOCw1tJJrx QMvVVHSntMUj+28cgZ915gLOACXZCT5ba6lDWRygIeiXcQhHpP/aI32K9nH4xr9yGtgp EoZjSN88Eeswdgbc4W2L7mXKJBY7lV1JJjPAs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=vvokDXuw9FDZSlBSgYx6swLtUOtJAuSU/QQ25wZc2NpCTD6gZrSseX4bFrY/2wPewL 2KgYuzGzz/9w2P3HQBK4bVGZTg6cubCPkDF41HzuLSgGk28DEZ9W9s4OS/rCwWfc7Hqj +uN7Z87iKFLwWhq8FDrX1N4SJTiR+Swc54oMI= MIME-Version: 1.0 Received: by 10.52.65.20 with SMTP id t20mr1597609vds.22.1299265317163; Fri, 04 Mar 2011 11:01:57 -0800 (PST) Received: by 10.52.160.70 with HTTP; Fri, 4 Mar 2011 11:01:56 -0800 (PST) Date: Fri, 4 Mar 2011 12:01:56 -0700 Message-ID: From: JJC To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: if_bridge and ipdivert oddity? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2011 19:32:24 -0000 I have been trying to make this work for a while now and am having unexpected results, as follows: FreeBSD 8.1 Release i386 setup with 3 nics.. em0 is numbered for management, em1 and em2 are physically between hostA and hostB and are members of bridge0, all unnumbered to allow for transparent bridging. Example scenarios: basic test - ipfw has an allow any any rule in it: - send icmp between hostA and hostB (I'm just gonna call these A and B) and everything looks good divert test (note divert and bridge are built into the kernel) - add an ipfw divert rule, or series of for counting and testing purposes - divert 8000 ip4 from any to any via bridge0 (this was tried with all, ip and ip4 and on em1 and em2 also) - do not have a process yet listening on *:8000 to do something with the packets that are sent to it - start icmp from A to B - icmp gets through and the divert counters do not increment? - start a simple perl script that takes the diverted packets(code below) and re-injects them - icmp is still getting through but not hitting the perl process and divert counters still not incrementing - down em2, icmp does not flow (perl process still running) - bring up em2 -arp and now the perl process shows that it's receiving / transmitting the icmp packets, divert counters stop incrementing - notable latency increase on the icmp roundtrip - kill the perl process that the packets are flowing through, icmp continues to flow through the interfaces, divert still increments, packet latency decreases? I have tried playing with loads of sysctl knobs to see if that would help, different flavors of divert rules etc... any help would be greatly appreciated. The ultimate goal here is to have snort run inline transparently on fBSD ** begin perl snippet** #!/usr/bin/perl -w use Net::Divert; select STDERR; $| = 1; my $divobj = Net::Divert->new('localhost',8000); printf(STDERR "open new divobj\n"); $divobj->getPackets(\&alterPacket); sub alterPacket { my($packet,$fwtag) = @_; printf(STDERR "i"); $divobj->putPacket($packet,$fwtag); printf(STDERR "o"); } From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 19:35:52 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04173106564A for ; Fri, 4 Mar 2011 19:35:52 +0000 (UTC) (envelope-from michael.scheidell@secnap.com) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [204.89.241.253]) by mx1.freebsd.org (Postfix) with ESMTP id B4E458FC0C for ; Fri, 4 Mar 2011 19:35:51 +0000 (UTC) Received: from mx1.secnap.com.ionspam.net (mx1.secnap.com.ionspam.net [10.70.1.253]) by mx1.secnap.com.ionspam.net (Postfix) with ESMTP id 0B0F42B7C91; Fri, 4 Mar 2011 14:35:51 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.com; h= content-type:content-type:in-reply-to:references:subject:subject :mime-version:user-agent:from:from:date:date:message-id; s=dkim; t=1299267350; x=1301081750; bh=CqJgczrS7aMKFq6ijhWJXXw5cpQ979jj /wqj6Ghfh/s=; b=LmIw0eVogJdTGaOhQqDX/vtmABjMAwb7e7kFGl6VdlsVsPjK MmeldVIQSnGCRZZx2hoQkL/TLMAtfgIScgxfg77iaBRFU8jQl56kTODZTLcUBvMY hPAngxp+OV3nBLUKptLFq0C6bn58coo8l8oNMHnvESjTyQ1AZT5XbdTNaJ4= X-Amavis-Modified: Mail body modified (using disclaimer) - mx1.secnap.com.ionspam.net X-Virus-Scanned: SpammerTrap(r) VPS-1500 2.14 at mx1.secnap.com.ionspam.net Received: from USBCTDC001.secnap.com (usbctdc001.secnap.com [10.70.1.1]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mx1.secnap.com.ionspam.net (Postfix) with ESMTPS id 23ECB2B7C8C; Fri, 4 Mar 2011 14:35:50 -0500 (EST) Received: from macintosh.secnap.com (10.70.3.3) by USBCTDC001.secnap.com (10.70.1.1) with Microsoft SMTP Server (TLS) id 14.0.722.0; Fri, 4 Mar 2011 14:35:49 -0500 Message-ID: <4D713F25.6020909@secnap.com> Date: Fri, 4 Mar 2011 14:36:05 -0500 From: Michael Scheidell User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.14) Gecko/20110221 Thunderbird/3.1.8 MIME-Version: 1.0 To: JJC References: In-Reply-To: Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: if_bridge and ipdivert oddity? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2011 19:35:52 -0000 Hey, thats a nice, clean looking test :-) I suspect SOME of the latency is the unbuffered printf. two printfs to &2 for every packet that flows. On 3/4/11 2:01 PM, JJC wrote > inline transparently on fBSD > > ** begin perl snippet** > #!/usr/bin/perl -w > use Net::Divert; > > select STDERR; $| = 1; > > my $divobj = Net::Divert->new('localhost',8000); > > printf(STDERR "open new divobj\n"); > > $divobj->getPackets(\&alterPacket); > > sub alterPacket { my($packet,$fwtag) = @_; > printf(STDERR "i"); > $divobj->putPacket($packet,$fwtag); > printf(STDERR "o"); > } > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ ______________________________________________________________________ From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 19:46:32 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89148106564A for ; Fri, 4 Mar 2011 19:46:32 +0000 (UTC) (envelope-from cummingsj@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3C11D8FC08 for ; Fri, 4 Mar 2011 19:46:31 +0000 (UTC) Received: by gyh4 with SMTP id 4so1049691gyh.13 for ; Fri, 04 Mar 2011 11:46:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:references:in-reply-to:mime-version :content-transfer-encoding:content-type:message-id:cc:x-mailer:from :subject:date:to; bh=4L3MNyjUfQBY5omzt3EF66dG9AAovqJ/ENRViksp81Y=; b=YND5aOLZY84eqhxVZQ2mhVQolQrkyLgok6L+4KxsX5epWDLdfP9ESuWEs32Jj7SLo0 xB65TExGA5bzGY2kZ8u++vy6OAsvSYMDqEzO3RDosjjMNHyh7RaAAWf5Ud8bGYhlXu3O z0dAjsTWU7d3dmAh81wJrSou+QNZBoiyh5ljk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; b=cSLKnokHmfY4QXIzmC4pCWDn5yLYN4Mn/xKoNbAP3trt5xpH1INnQS/NmqZks9bKk6 0noGIZ8/w4PoFsEmau/lG094HT7YJ13BjvNwewOfYL9WgIYQ9dE0gIaSt/uRZynj70Zh da4TX3NbegvTFR7f/a62F1RdfAAG79NTonGQY= Received: by 10.150.66.10 with SMTP id o10mr1125476yba.337.1299267991062; Fri, 04 Mar 2011 11:46:31 -0800 (PST) Received: from [10.66.117.125] ([166.205.15.11]) by mx.google.com with ESMTPS id w15sm918218ybk.13.2011.03.04.11.46.28 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 04 Mar 2011 11:46:29 -0800 (PST) References: <4D713F25.6020909@secnap.com> In-Reply-To: <4D713F25.6020909@secnap.com> Mime-Version: 1.0 (iPhone Mail 8C148) Message-Id: X-Mailer: iPhone Mail (8C148) From: JJ Cummings Date: Fri, 4 Mar 2011 12:46:22 -0700 To: Michael Scheidell Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "" Subject: Re: if_bridge and ipdivert oddity? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2011 19:46:32 -0000 Same latency without those... Sent from the iRoad On Mar 4, 2011, at 12:36, Michael Scheidell w= rote: >=20 >=20 > Hey, thats a nice, clean looking test :-) >=20 > I suspect SOME of the latency is the unbuffered printf. > two printfs to &2 for every packet that flows. >=20 >=20 >=20 > On 3/4/11 2:01 PM, JJC wrote >> inline transparently on fBSD >>=20 >> ** begin perl snippet** >> #!/usr/bin/perl -w >> use Net::Divert; >>=20 >> select STDERR; $| =3D 1; >>=20 >> my $divobj =3D Net::Divert->new('localhost',8000); >>=20 >> printf(STDERR "open new divobj\n"); >>=20 >> $divobj->getPackets(\&alterPacket); >>=20 >> sub alterPacket { my($packet,$fwtag) =3D @_; >> printf(STDERR "i"); >> $divobj->putPacket($packet,$fwtag); >> printf(STDERR "o"); >> } >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >=20 > --=20 > Michael Scheidell, CTO > o: 561-999-5000 > d: 561-948-2259 > ISN: 1259*1300 > > | SECNAP Network Security Corporation > Certified SNORT Integrator > 2008-9 Hot Company Award Winner, World Executive Alliance > Five-Star Partner Program 2009, VARBusiness > Best in Email Security,2010: Network Products Guide > King of Spam Filters, SC Magazine 2008 >=20 > This email has been scanned and certified safe by SpammerTrap=C2=AE.=20 > For Information please see http://www.secnap.com/products/spammertrap/ >=20 >=20