From owner-freebsd-ipfw@freebsd.org Sun Mar 5 11:01:19 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 35683CFAAE2 for ; Sun, 5 Mar 2017 11:01:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 253E51DC0 for ; Sun, 5 Mar 2017 11:01:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v25B1IKh066693 for ; Sun, 5 Mar 2017 11:01:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217391] [ipfw] [panic] erroneous ipfw rule triggers KASSERT Date: Sun, 05 Mar 2017 11:01:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: ports@grosbein.net X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Mar 2017 11:01:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217391 --- Comment #3 from Eugene Grosbein --- Thanks, this patch really helps. Now second command (with error) gets rejec= ted by the kernel: # ipfw add 1 count ip from any to any in recv 'table(10)' ipfw: getsockopt(IP_FW_XADD): Invalid argument --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Sun Mar 5 22:20:05 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 78464CFAAA2 for ; Sun, 5 Mar 2017 22:20:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 66B781CEB for ; Sun, 5 Mar 2017 22:20:05 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v25MK4BP064728 for ; Sun, 5 Mar 2017 22:20:05 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217391] [ipfw] [panic] erroneous ipfw rule triggers KASSERT Date: Sun, 05 Mar 2017 22:20:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Mar 2017 22:20:05 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217391 --- Comment #4 from commit-hook@freebsd.org --- A commit references this bug: Author: ae Date: Sun Mar 5 22:19:43 UTC 2017 New revision: 314715 URL: https://svnweb.freebsd.org/changeset/base/314715 Log: Reject invalid object types that can not be used with specific opcodes. When we doing reference counting of named objects in the new rule, for existing objects check that opcode references to correct object, otherwise return EINVAL. PR: 217391 MFC after: 1 week Sponsored by: Yandex LLC Changes: head/sys/netpfil/ipfw/ip_fw_sockopt.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Sun Mar 5 23:49:21 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 31BB2CFBFFE for ; Sun, 5 Mar 2017 23:49:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 20EC21648 for ; Sun, 5 Mar 2017 23:49:21 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v25NnKhC081488 for ; Sun, 5 Mar 2017 23:49:20 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217292] ipfw lookup on fields other than IP source and destination address doesn't work for IPv6 Date: Sun, 05 Mar 2017 23:49:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Mar 2017 23:49:21 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217292 --- Comment #2 from commit-hook@freebsd.org --- A commit references this bug: Author: ae Date: Sun Mar 5 23:48:24 UTC 2017 New revision: 314716 URL: https://svnweb.freebsd.org/changeset/base/314716 Log: Add IPv6 support to O_IP_DST_LOOKUP opcode. o check the size of O_IP_SRC_LOOKUP opcode, it can not exceed the size of ipfw_insn_u32; o rename ipfw_lookup_table_extended() function into ipfw_lookup_table() a= nd remove old ipfw_lookup_table(); o use args->f_id.flow_id6 that is in host byte order to get DSCP value; o add SCTP ports support to 'lookup src/dst-port' opcode; o add IPv6 support to 'lookup src/dst-ip' opcode. PR: 217292 Reviewed by: melifaro MFC after: 2 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9873 Changes: head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_private.h head/sys/netpfil/ipfw/ip_fw_sockopt.c head/sys/netpfil/ipfw/ip_fw_table.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Mon Mar 6 10:06:36 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4ACF0CFAE71 for ; Mon, 6 Mar 2017 10:06:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 32EC71BFF for ; Mon, 6 Mar 2017 10:06:36 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v26A6ZsH081011 for ; Mon, 6 Mar 2017 10:06:36 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217292] ipfw lookup on fields other than IP source and destination address doesn't work for IPv6 Date: Mon, 06 Mar 2017 10:06:36 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: crest@bultmann.eu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2017 10:06:36 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217292 --- Comment #3 from Jan Bramkamp --- Thank you for the patch. I will perform some testing later today. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Tue Mar 7 13:49:25 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 279E4D0138C for ; Tue, 7 Mar 2017 13:49:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 172191042 for ; Tue, 7 Mar 2017 13:49:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v27DnOJ5016210 for ; Tue, 7 Mar 2017 13:49:24 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains Date: Tue, 07 Mar 2017 13:49:25 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: feld@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 13:49:25 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D216867 Mark Felder changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |feld@FreeBSD.org --- Comment #1 from Mark Felder --- Needs some testers, but this should fix it https://reviews.freebsd.org/D9920 --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Tue Mar 7 14:43:24 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58B6ED015DE for ; Tue, 7 Mar 2017 14:43:24 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D609C11F4; Tue, 7 Mar 2017 14:43:23 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v27EhJZe031212; Wed, 8 Mar 2017 01:43:20 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 8 Mar 2017 01:43:19 +1100 (EST) From: Ian Smith To: feld@FreeBSD.org cc: freebsd-ipfw@FreeBSD.org Subject: Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains In-Reply-To: Message-ID: <20170308013059.I87835@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 14:43:24 -0000 On Tue, 7 Mar 2017 13:49:25 +0000, bugzilla-noreply@freebsd.org wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 > > Mark Felder changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > CC| |feld@FreeBSD.org > > --- Comment #1 from Mark Felder --- > Needs some testers, but this should fix it > > https://reviews.freebsd.org/D9920 I've always used these rules from 'client' and 'simple' rulesets: ${fwcmd} add pass all from any to any frag which I long ago found essential to pass frags from zen.spamhaus.org I haven't used reass - nor DNSSEC - so can't really evaluate, nor test currently, so I won't pollute the bug report with what may be musing. However, looking at the review patch, I do wonder if the reass shouldn't precede, rather than follow, the check-state? cheers, Ian From owner-freebsd-ipfw@freebsd.org Tue Mar 7 14:51:31 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23C93D017F7 for ; Tue, 7 Mar 2017 14:51:31 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F049A15C1 for ; Tue, 7 Mar 2017 14:51:30 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id EB0B9207EC; Tue, 7 Mar 2017 09:45:22 -0500 (EST) Received: from web4 ([10.202.2.214]) by compute3.internal (MEProxy); Tue, 07 Mar 2017 09:45:22 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=smtpout; bh=A8 G+SHn1kX0FJQXLSKM9xJ2HYko=; b=sTghDwUQDo6RNAcmA7aaWqWr4Zg7AEOkWX u0LrhZILQIApjmWqEtKPw90vIYJyWF28gXqGWGQkK1yNX9ra+ocF9X15XfPBcteP VIqfJiT+FCgvWZ+Hp4JXfeselg6gWecmIpE+nYApDWcbOA7S+9l+560hWGxBx6Pr rfrZ4A5ZQ= X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id CCABFBAB57; Tue, 7 Mar 2017 09:45:22 -0500 (EST) Message-Id: <1488897922.884989.903291024.2023FFB6@webmail.messagingengine.com> From: Mark Felder To: Ian Smith Cc: freebsd-ipfw@FreeBSD.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-9f47d516 Date: Tue, 07 Mar 2017 08:45:22 -0600 In-Reply-To: <20170308013059.I87835@sola.nimnet.asn.au> References: <20170308013059.I87835@sola.nimnet.asn.au> Subject: Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 14:51:31 -0000 On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote: > On Tue, 7 Mar 2017 13:49:25 +0000, bugzilla-noreply@freebsd.org wrote: > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216867 > > > > Mark Felder changed: > > > > What |Removed |Added > > ---------------------------------------------------------------------------- > > CC| |feld@FreeBSD.org > > > > --- Comment #1 from Mark Felder --- > > Needs some testers, but this should fix it > > > > https://reviews.freebsd.org/D9920 > > I've always used these rules from 'client' and 'simple' rulesets: > ${fwcmd} add pass all from any to any frag > which I long ago found essential to pass frags from zen.spamhaus.org > > I haven't used reass - nor DNSSEC - so can't really evaluate, nor test > currently, so I won't pollute the bug report with what may be musing. > > However, looking at the review patch, I do wonder if the reass shouldn't > precede, rather than follow, the check-state? > My pre-coffee brain said "UDP isn't stateful; should be fine to put this after check-state". I didn't evaluate it further than that. -- Mark Felder ports-secteam & portmgr member feld@FreeBSD.org From owner-freebsd-ipfw@freebsd.org Tue Mar 7 14:52:08 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02797D0197F for ; Tue, 7 Mar 2017 14:52:08 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AF2DB16A5 for ; Tue, 7 Mar 2017 14:52:07 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by mail-qk0-x236.google.com with SMTP id v125so7168772qkh.2 for ; Tue, 07 Mar 2017 06:52:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qqgINGfDjjffp3fTGfXE4Bdt7iMdaO3aho5Z388AeS8=; b=TQ4CMenlOYAADecDtxrIK5IYl1ye8z9G9Q9jmrLWhnYXVFaU3FBQZ+V+cYmuZNhGfc D4ZfYtN5yb1qkZdmS82LqcrMS7Y52fxiC/NWqJopsFO2Hm7gCKbRr51Q7fE+kUbTztcY 6cHsDLIXhauVqD09yVDBwaqIf6TCzuEiGBnynA9J/rm22URP2G5WUGY6zLODIt8aWhUs tafPUlWsZ6MO7vrvPZMRSxMXjxPSgipfGnMHe73Lzakaw309wfNbZ1NOKDTHry4tgIrI /oVOs0Jp6V2ytvdIEjiNCbpbK2oGPaqwps0u2+2mNwSsrmxVKc61PdbzWfH+sQiRxGob 9Hmw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qqgINGfDjjffp3fTGfXE4Bdt7iMdaO3aho5Z388AeS8=; b=uDgnEZ3OwFsnsCksKqa6ZCDxTT1i37xWQ0mZfmtgsDW61HsUJRSS+cLliWRCee2fYR Jg3sQPksImyTsLTfpCOJzOE3NizabTbdozJLaK4atVxu6GXNW4p/W5C2rZYCipsWMBDk mkY8zopKO7hxV6QDdnRbeQ7x8QGx4HYT4asTBPEVvr0v0IQ4y9e/wh7SD2XS4kXd89IR TJXJ68vzxzK4B89f515Vwf53MG+EX1+xpeRYzzG3I7CxTUZq3V7TH6mf+Hy2OwNWoFhl qVXcO3iR+gqIp+AfS0BeuXV/gCp0zlxEttto3sWyIgw2xxzkHVJndxOA5fMVfFiZYeL7 hY3A== X-Gm-Message-State: AMke39lB71OV0rRW05iEk/yFzdqWNEGCk3m6RFMavfOjixFaLDp5Os9otKTCukEbbQPdEjZSbKFNs1xX54pxPd5i X-Received: by 10.55.20.131 with SMTP id 3mr815248qku.320.1488898326774; Tue, 07 Mar 2017 06:52:06 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.39.182 with HTTP; Tue, 7 Mar 2017 06:52:06 -0800 (PST) In-Reply-To: <20170308013059.I87835@sola.nimnet.asn.au> References: <20170308013059.I87835@sola.nimnet.asn.au> From: Michael Sierchio Date: Tue, 7 Mar 2017 09:52:06 -0500 Message-ID: Subject: Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains To: Ian Smith Cc: Mark Felder , "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 14:52:08 -0000 On Tue, Mar 7, 2017 at 9:43 AM, Ian Smith wrote: However, looking at the review patch, I do wonder if the reass shouldn't > precede, rather than follow, the check-state? > > Absolutely, yes - fragments don't carry sub-protocol info. --=20 "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata From owner-freebsd-ipfw@freebsd.org Tue Mar 7 15:27:34 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 641C2D0136D for ; Tue, 7 Mar 2017 15:27:34 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DCAD21ABE; Tue, 7 Mar 2017 15:27:33 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id v27FRUTk032763; Wed, 8 Mar 2017 02:27:30 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 8 Mar 2017 02:27:29 +1100 (EST) From: Ian Smith To: Mark Felder cc: Michael Sierchio , freebsd-ipfw@FreeBSD.org Subject: Re: [Bug 216867] IPFW workstation rules block DNSSEC resulting in DNS failure on freebsd.org domains In-Reply-To: <1488897922.884989.903291024.2023FFB6@webmail.messagingengine.com> Message-ID: <20170308015141.W87835@sola.nimnet.asn.au> References: <20170308013059.I87835@sola.nimnet.asn.au> <1488897922.884989.903291024.2023FFB6@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2017 15:27:34 -0000 On Tue, 7 Mar 2017 08:45:22 -0600, Mark Felder wrote: > On Tue, Mar 7, 2017, at 08:43, Ian Smith wrote: > > > https://reviews.freebsd.org/D9920 > > > > I've always used these rules from 'client' and 'simple' rulesets: > > ${fwcmd} add pass all from any to any frag > > which I long ago found essential to pass frags from zen.spamhaus.org > > > > I haven't used reass - nor DNSSEC - so can't really evaluate, nor test > > currently, so I won't pollute the bug report with what may be musing. > > > > However, looking at the review patch, I do wonder if the reass shouldn't > > precede, rather than follow, the check-state? > > > > My pre-coffee brain said "UDP isn't stateful; should be fine to put this > after check-state". I didn't evaluate it further than that. 1) code, 2) coffee, 3) recode :-) All DNS requests routed from LAN clients here run statefully, in an otherwise mostly static firewall, though not those issued by sendmail, which are those returning big fragmented UDP packets from spamhaus.org. Again, I'm just reading how reass works, but I presume you'd want to pass the whole reassembled packet at check-state? Michael seems to confirm. Further, it's nothing but convention having check-state as the very first rule, whereas that is advised for reass. cheers, Ian From owner-freebsd-ipfw@freebsd.org Wed Mar 8 01:32:34 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8DBCFD01043 for ; Wed, 8 Mar 2017 01:32:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7D9121F36 for ; Wed, 8 Mar 2017 01:32:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v281WYG1045651 for ; Wed, 8 Mar 2017 01:32:34 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217620] ipfw flow specification parsing Date: Wed, 08 Mar 2017 01:32:34 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to keywords Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2017 01:32:34 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217620 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|freebsd-bugs@FreeBSD.org |freebsd-ipfw@FreeBSD.org Keywords| |patch --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Wed Mar 8 01:33:10 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9429DD0113F for ; Wed, 8 Mar 2017 01:33:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 81600106B for ; Wed, 8 Mar 2017 01:33:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v281XAlP046355 for ; Wed, 8 Mar 2017 01:33:10 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217617] Typo in ip_fw_table.c Date: Wed, 08 Mar 2017 01:33:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: linimon@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: keywords assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2017 01:33:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217617 Mark Linimon changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch Assignee|freebsd-bugs@FreeBSD.org |freebsd-ipfw@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Mar 9 09:55:16 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 07D62D03055 for ; Thu, 9 Mar 2017 09:55:16 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EBF861AD for ; Thu, 9 Mar 2017 09:55:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v299tFpC068774 for ; Thu, 9 Mar 2017 09:55:15 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217617] Typo in ip_fw_table.c Date: Thu, 09 Mar 2017 09:55:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2017 09:55:16 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217617 --- Comment #1 from commit-hook@freebsd.org --- A commit references this bug: Author: maxim Date: Thu Mar 9 09:54:23 UTC 2017 New revision: 314955 URL: https://svnweb.freebsd.org/changeset/base/314955 Log: o Typo in the comment fixed. PR: 217617 Submitted by: lutz Changes: head/sys/netpfil/ipfw/ip_fw_table.c --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Thu Mar 9 09:56:04 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DB87D030C3 for ; Thu, 9 Mar 2017 09:56:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6DA8420E for ; Thu, 9 Mar 2017 09:56:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v299u4gK069742 for ; Thu, 9 Mar 2017 09:56:04 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217617] Typo in ip_fw_table.c Date: Thu, 09 Mar 2017 09:56:04 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-STABLE X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: maxim@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status resolution cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Mar 2017 09:56:04 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217617 Maxim Konovalov changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Closed Resolution|--- |FIXED CC| |maxim@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Fri Mar 10 05:44:41 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1CE97D0549B for ; Fri, 10 Mar 2017 05:44:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0CB5B1CC2 for ; Fri, 10 Mar 2017 05:44:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2A5idBi090187 for ; Fri, 10 Mar 2017 05:44:40 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 217262] ipfw lookup tables match on index instead of value Date: Fri, 10 Mar 2017 05:44:39 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ae@FreeBSD.org X-Bugzilla-Flags: mfc-stable11+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Mar 2017 05:44:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217262 --- Comment #4 from commit-hook@freebsd.org --- A commit references this bug: Author: ae Date: Fri Mar 10 05:44:14 UTC 2017 New revision: 314990 URL: https://svnweb.freebsd.org/changeset/base/314990 Log: MFC r314614: Fix matching table entry value. Use real table value instead of its ind= ex in valuestate array. When opcode has size equal to ipfw_insn_u32, this means that it should additionally match value specified in d[0] with table entry value. ipfw_table_lookup() returns table value index, use TARG_VAL() macro to convert it to its value. The actual 32-bit value stored in the tag field of table_value structure, where all unspecified u32 values are kept. PR: 217262 Changes: _U stable/11/ stable/11/sys/netpfil/ipfw/ip_fw2.c --=20 You are receiving this mail because: You are on the CC list for the bug.=