From owner-freebsd-ipfw@FreeBSD.ORG Sun Nov 2 07:45:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16F2916A4CE for ; Sun, 2 Nov 2003 07:45:33 -0800 (PST) Received: from tequila.4you.lt (tequila.4you.lt [212.122.68.216]) by mx1.FreeBSD.org (Postfix) with SMTP id AE4C543FA3 for ; Sun, 2 Nov 2003 07:45:28 -0800 (PST) (envelope-from hugle@vkt.lt) Received: (qmail 71893 invoked by uid 0); 2 Nov 2003 14:44:11 -0000 Received: from hugle@vkt.lt by tequila by uid 82 with qmail-scanner-1.20rc1 (. Clear:RC:1:. Processed in 0.923777 secs); 02 Nov 2003 14:44:11 -0000 Received: from unknown (HELO localhost) (213.252.192.162) by tequila.4you.lt with SMTP; 2 Nov 2003 14:44:10 -0000 Date: Sun, 2 Nov 2003 17:44:06 +0200 From: hugle X-Mailer: The Bat! (v1.63 Beta/5) X-Priority: 3 (Normal) Message-ID: <122624821615.20031102174406@vkt.lt> To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: ipfw , mac match X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hugle List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Nov 2003 15:45:33 -0000 hello all i have a rulset like: 03990 39 5189 skipto 5999 ip from 192.168.1.83 to not 192.168.0.0/16 MAC any 00:40:f4:70:8c:87 in via fxp0 05001 14 650 count ip from 192.168.1.83 to not 192.168.0.0/16 in via fxp0 but where does those packets appear in rule 5001 ? they were not supposed to be there it means but there is some other traffic going from IP 192.168.1.83 with MAC not 00:40:f4:70:8c:87 ? or how should I understand this? hopefully I only have a mistake here somewhere in my rule. could anyone look here for errors ? Thx ps. in rule 5001 there should be fwd rule.. count rule is only for testing, if count works - I'd change it to one i need. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 3 11:02:15 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7059516A4D2 for ; Mon, 3 Nov 2003 11:02:15 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEB8E44014 for ; Mon, 3 Nov 2003 11:01:46 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hA3J1kFY004098 for ; Mon, 3 Nov 2003 11:01:46 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hA3J1kcc004092 for ipfw@freebsd.org; Mon, 3 Nov 2003 11:01:46 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 3 Nov 2003 11:01:46 -0800 (PST) Message-Id: <200311031901.hA3J1kcc004092@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2003 19:02:15 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 3 14:10:12 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6134D16A4CE; Mon, 3 Nov 2003 14:10:12 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2FD7443FDF; Mon, 3 Nov 2003 14:10:10 -0800 (PST) (envelope-from bz@zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 1CDA71FF907; Mon, 3 Nov 2003 23:10:08 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id 8B9C41FF905; Mon, 3 Nov 2003 23:10:06 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id DBCF7153F6; Mon, 3 Nov 2003 22:08:24 +0000 (UTC) To: FreeBSD-gnats-submit@freebsd.org From: "Bjoern A. Zeeb" X-send-pr-version: 3.113 X-GNATS-Notify: Message-Id: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net> Date: Mon, 3 Nov 2003 22:08:24 +0000 (UTC) X-Virus-Scanned: by AMaViS snapshot-20020300 cc: security@freebsd.org cc: ipfw@FreeBSD.org cc: bzeeb+freebsd@zabbadoz.net cc: ari.suutari@syncrontech.com Subject: [fix] ipfw2 ipsec history option not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Bjoern A. Zeeb" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2003 22:10:12 -0000 >Submitter-Id: current-users >Originator: Bjoern A. Zeeb >Organization: Zabbadoz.NeT >Confidential: no >Synopsis: [fix] ipfw2 ipsec history option not working >Severity: critical >Priority: high >Category: kern >Class: sw-bug >Release: 5.1-CURRENT i386 >Environment: FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 22:19:04 UTC 2003 bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-20030920-2028/sys/ZAB2-2003092001 i386 >Description: The patch applied at 4 Jul 2003 [1] from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 will not work in current and might never have worked the way it should and is documented. The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c will never match because opt_ipsec.h is never included. Further more because only the check in the verify path (ipfw_chk) is #ifdef'ed and not the path where the rules get checked before insertion (check_ipfw_struct) __there will be no complaints when adding a rule with ipsec option__ ! [1] http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33&r2=1.34 >How-To-Repeat: add a rule that should match all traffic with ipsec history with log option at appropriate place in your ruleset; s.th. like: ipfw add ... log ip from any to any ipsec there will be no match logged; alternatively you may simply grep for ipsec_gethist in ip_fw2.o; this also will not find a match though it should be in there. >Fix: this patch has been verified to make O_IPSEC work for me with IPSEC; it has not been verified to work with FAST_IPSEC. additionaly one may also add s.th. like #if defined(IPSEC) || defined(FAST_IPSEC) for O_IPSEC in check_ipfw_struct(). --- sys/netinet/ip_fw2.c.orig Mon Nov 3 18:24:57 2003 +++ sys/netinet/ip_fw2.c Mon Nov 3 20:47:58 2003 @@ -37,6 +37,7 @@ #include "opt_ipdn.h" #include "opt_ipdivert.h" #include "opt_inet.h" +#include "opt_ipsec.h" #ifndef INET #error IPFIREWALL requires INET. #endif /* INET */ From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 3 22:52:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4149316A4CE; Mon, 3 Nov 2003 22:52:33 -0800 (PST) Received: from cocoa.syncrontech.com (cocoa-e0.syncrontech.com [62.71.8.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC29043F85; Mon, 3 Nov 2003 22:52:29 -0800 (PST) (envelope-from ari.suutari@syncrontech.com) Received: from guinness.syncrontech.com (guinness.syncrontech.com [62.71.8.19])hA46qQEQ017449; Tue, 4 Nov 2003 08:52:27 +0200 (EET) (envelope-from ari.suutari@syncrontech.com) Received: from coffee.syncrontech.com (coffee.syncrontech.com [62.71.8.37]) hA46qMC5036170; Tue, 4 Nov 2003 08:52:22 +0200 (EET) (envelope-from ari.suutari@syncrontech.com) From: Ari Suutari Organization: Syncron Tech Oy To: "Bjoern A. Zeeb" , FreeBSD-gnats-submit@freebsd.org Date: Tue, 4 Nov 2003 08:52:25 +0200 User-Agent: KMail/1.5.4 References: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net> In-Reply-To: <20031103220824.DBCF7153F6@mail.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200311040852.25359.ari.suutari@syncrontech.com> X-Scanned-By: MIMEDefang 2.30 (www . roaringpenguin . com / mimedefang) X-Scanned-By: MIMEDefang 2.24 (www . roaringpenguin . com / mimedefang) cc: ipfw@freebsd.org cc: bzeeb+freebsd@zabbadoz.net cc: security@freebsd.org Subject: Re: [fix] ipfw2 ipsec history option not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Nov 2003 06:52:33 -0000 Wow ! The initial patch I submitted must have been incomplete somehow, because I really tested this thing on -current. The reason might be that the first patch didn't include #ifdef IPSEC at all. Then someone (maybe me on another machine...) who tested it complained about kernel not compiling without IPSEC - and I added the #ifdef IPSEC without testing it 'since it was such a small change'. Please someone, commit the suggested patch. Also, if these changes have gone to 4.9, it might be good to include this fix for RELENG_4_9 since it is security related. Ari S. On Tuesday 04 November 2003 00:08, Bjoern A. Zeeb wrote: > >Submitter-Id: current-users > >Originator: Bjoern A. Zeeb > >Organization: Zabbadoz.NeT > >Confidential: no > >Synopsis: [fix] ipfw2 ipsec history option not working > >Severity: critical > >Priority: high > >Category: kern > >Class: sw-bug > >Release: 5.1-CURRENT i386 > >Environment: > > FreeBSD noc.int.zabbadoz.net 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Sat Sep 20 > 22:19:04 UTC 2003 > bz@noc.int.zabbadoz.net:/export/src/src/obj/export/src/src/HEAD/compile-200 >30920-2028/sys/ZAB2-2003092001 i386 > > >Description: > > The patch applied at 4 Jul 2003 [1] > from http://www.freebsd.org/cgi/query-pr.cgi?pr=53624 > will not work in current and might never have worked > the way it should and is documented. > > The problem is that #ifdef IPSEC in sys/netinet/ip_fw2.c > will never match because opt_ipsec.h is never included. > > Further more because only the check in the verify > path (ipfw_chk) is #ifdef'ed and not the path where > the rules get checked before insertion (check_ipfw_struct) > __there will be no complaints when > adding a rule with ipsec option__ ! > > [1] > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_fw2.c.diff?r1=1.33 >&r2=1.34 > > >How-To-Repeat: > > add a rule that should match all traffic with > ipsec history with log option at appropriate place > in your ruleset; s.th. like: > > ipfw add ... log ip from any to any ipsec > > there will be no match logged; > > > alternatively you may simply grep for ipsec_gethist > in ip_fw2.o; this also will not find a match though it > should be in there. > > >Fix: > > this patch has been verified to make O_IPSEC work > for me with IPSEC; it has not been verified to work > with FAST_IPSEC. > > additionaly one may also add s.th. like > #if defined(IPSEC) || defined(FAST_IPSEC) > for O_IPSEC in check_ipfw_struct(). > > > --- sys/netinet/ip_fw2.c.orig Mon Nov 3 18:24:57 2003 > +++ sys/netinet/ip_fw2.c Mon Nov 3 20:47:58 2003 > @@ -37,6 +37,7 @@ > #include "opt_ipdn.h" > #include "opt_ipdivert.h" > #include "opt_inet.h" > +#include "opt_ipsec.h" > #ifndef INET > #error IPFIREWALL requires INET. > #endif /* INET */ From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 5 10:59:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 459E116A4CF for ; Wed, 5 Nov 2003 10:59:51 -0800 (PST) Received: from gradlab.ucsd.edu (gradlab.ucsd.edu [132.239.55.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD01C43FE1 for ; Wed, 5 Nov 2003 10:59:50 -0800 (PST) (envelope-from ycheng@cs.ucsd.edu) Received: (from ycheng@localhost) by gradlab.ucsd.edu (8.11.6.patched2/8.11.6) id hA5Ixol17530; Wed, 5 Nov 2003 10:59:50 -0800 (PST) Date: Wed, 5 Nov 2003 10:59:50 -0800 From: Yuchung Cheng To: ipfw@freebsd.org Message-ID: <20031105105949.A15915@cs.ucsd.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i cc: ycheng@cs.ucsd.edu Subject: maximum pipes in dummynet? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 18:59:51 -0000 Hi all, I am using dummynet to simulate many different links. After dummynet seems to slow down after more than 4000 (static) pipes. That is, the link delay is more than the specified delay. My config file looks like ipfw add 1 pipe 7 tcp from 192.168.2.100 10003 to 192.168.1.100 out ipfw pipe 7 config bw 730KByte/s queue 40 delay 4ms plr 0.01 ipfw add 1 pipe 8 tcp from 192.168.1.100 to 192.168.2.100 10003 in ipfw pipe 8 config bw 730KByte/s queue 40 delay 4ms plr 0.01 ipfw add 1 pipe 9 tcp from 192.168.2.100 10004 to 192.168.1.100 out ipfw pipe 9 config bw 1400KByte/s queue 40 delay 28ms plr 0.00 ipfw add 1 pipe 10 tcp from 192.168.1.100 to 192.168.2.100 10004 in ipfw pipe 10 config bw 1503KByte/s queue 40 delay 28ms plr 0.00 My machine is 2.66 P4 w/ 1G mem. Does anybody know how to make dummynet support more pipes? Also is it possible to specify one pipe for more than one port? i.e., ipfw add 1 pipe 10 tcp from 192.168.1.100 to 192.168.2.100 10004,10537,3045 in Thanks. Yu-chung From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 5 13:50:44 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EA2116A4CE for ; Wed, 5 Nov 2003 13:50:44 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2186E43F75 for ; Wed, 5 Nov 2003 13:50:43 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id hA5LogFw044625; Wed, 5 Nov 2003 13:50:42 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id hA5Logfe044620; Wed, 5 Nov 2003 13:50:42 -0800 (PST) (envelope-from rizzo) Date: Wed, 5 Nov 2003 13:50:42 -0800 From: Luigi Rizzo To: Yuchung Cheng Message-ID: <20031105135042.A42702@xorpc.icir.org> References: <20031105105949.A15915@cs.ucsd.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031105105949.A15915@cs.ucsd.edu>; from ycheng@cs.ucsd.edu on Wed, Nov 05, 2003 at 10:59:50AM -0800 cc: ipfw@freebsd.org Subject: Re: maximum pipes in dummynet? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 21:50:44 -0000 the problem is not in dummynet, it is in your ruleset that, as you describe it, has to traverse up to 4000 rules before packets are sent to the correct pipe. If you have a finite set of pipe speeds, just use masks on the ports ipfw add pipe 1 tcp from a 10000-10499 to 192.168.1.100 out ipfw add pipe 2 tcp from a 10500-10999 to 192.168.1.100 out ipfw add pipe 3 tcp from a 11000-11499 to 192.168.1.100 out ipfw add pipe 4 tcp from a 11500-11999 to 192.168.1.100 out ipfw pipe 1 config ... mask src-port 0xffff ipfw pipe 2 config ... mask src-port 0xffff ipfw pipe 3 config ... mask src-port 0xffff ipfw pipe 4 config ... mask src-port 0xffff and you have your first 2000 pipes. Same for the other 2000 As usual, a careful reading of the ipfw manpage would help for both your questions cheers luigi On Wed, Nov 05, 2003 at 10:59:50AM -0800, Yuchung Cheng wrote: > Hi all, > > I am using dummynet to simulate many different links. After dummynet seems > to slow down after more than 4000 (static) pipes. That is, the link delay > is more than the specified delay. My config file looks like > > ipfw add 1 pipe 7 tcp from 192.168.2.100 10003 to 192.168.1.100 out > ipfw pipe 7 config bw 730KByte/s queue 40 delay 4ms plr 0.01 > ipfw add 1 pipe 8 tcp from 192.168.1.100 to 192.168.2.100 10003 in > ipfw pipe 8 config bw 730KByte/s queue 40 delay 4ms plr 0.01 > ipfw add 1 pipe 9 tcp from 192.168.2.100 10004 to 192.168.1.100 out > ipfw pipe 9 config bw 1400KByte/s queue 40 delay 28ms plr 0.00 > ipfw add 1 pipe 10 tcp from 192.168.1.100 to 192.168.2.100 10004 in > ipfw pipe 10 config bw 1503KByte/s queue 40 delay 28ms plr 0.00 > > My machine is 2.66 P4 w/ 1G mem. Does anybody know how to make dummynet > support more pipes? > > Also is it possible to specify one pipe for more than one port? i.e., > ipfw add 1 pipe 10 tcp from 192.168.1.100 to 192.168.2.100 10004,10537,3045 in > > Thanks. > > Yu-chung > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 5 14:35:19 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D26516A4CE for ; Wed, 5 Nov 2003 14:35:19 -0800 (PST) Received: from firewall.floating-oak.com (adsl-67-117-120-153.dsl.scrm01.pacbell.net [67.117.120.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C24043FE9 for ; Wed, 5 Nov 2003 14:35:16 -0800 (PST) (envelope-from mnadler@floating-oak.org) Received: from floating-oak.org (dell.floating-oak.com [192.168.1.3]) by firewall.floating-oak.com (8.9.3/8.9.3) with ESMTP id OAA09425 for ; Wed, 5 Nov 2003 14:35:16 -0800 Message-ID: <3FA97B22.7010808@floating-oak.org> Date: Wed, 05 Nov 2003 14:35:14 -0800 From: Michael Nadler User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en To: freebsd-ipfw@freebsd.org References: <20031105200049.B897F16A51A@hub.freebsd.org> In-Reply-To: <20031105200049.B897F16A51A@hub.freebsd.org> Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Re: maximum pipes in dummynet? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2003 22:35:19 -0000 The basic problem you are having is with ipfw, not merely dummynet. ipfw uses a linked list to hold the rules. Every packet must be matched against these rules using a linear search. And this search happens in the interrupt thread. Packets that match none of the rules end up having the worst latency. There is an inverse relationship between the number of packets and the number of rules. In my experience, 4000 ipfw rules is quite a lot. We had to implement a custom modification to ipfw, creating a special class of static rules that were handled similar to the dynamic rules. This mod permitted more than 100,000 rules with litte performance degredation. The ipfw pipe rule, just like a regular rule, can match multiple ports. See ipfw(8). Date: Wed, 5 Nov 2003 10:59:50 -0800 From: Yuchung Chen Subject: maximum pipes in dummynet? To: [1]ipfw@freebsd.org Cc: [2]ycheng@cs.ucsd.edu Message-ID: [3]<20031105105949.A15915@cs.ucsd.edu> Content-Type: text/plain; charset=us-ascii Hi all, I am using dummynet to simulate many different links. After dummynet seems to slow down after more than 4000 (static) pipes. That is, the link delay is more than the specified delay. My config file looks like ipfw add 1 pipe 7 tcp from 192.168.2.100 10003 to 192.168.1.100 out ipfw pipe 7 config bw 730KByte/s queue 40 delay 4ms plr 0.01 ipfw add 1 pipe 8 tcp from 192.168.1.100 to 192.168.2.100 10003 in ipfw pipe 8 config bw 730KByte/s queue 40 delay 4ms plr 0.01 ipfw add 1 pipe 9 tcp from 192.168.2.100 10004 to 192.168.1.100 out ipfw pipe 9 config bw 1400KByte/s queue 40 delay 28ms plr 0.00 ipfw add 1 pipe 10 tcp from 192.168.1.100 to 192.168.2.100 10004 in ipfw pipe 10 config bw 1503KByte/s queue 40 delay 28ms plr 0.00 My machine is 2.66 P4 w/ 1G mem. Does anybody know how to make dummynet support more pipes? Also is it possible to specify one pipe for more than one port? i.e., ipfw add 1 pipe 10 tcp from 192.168.1.100 to 192.168.2.100 10004,10537,3045 in Thanks. Yu-chung References 1. mailto:ipfw@freebsd.org 2. mailto:ycheng@cs.ucsd.edu 3. mailto:20031105105949.A15915@cs.ucsd.edu From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 6 03:06:07 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DBB816A4CF for ; Thu, 6 Nov 2003 03:06:07 -0800 (PST) Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.13]) by mx1.FreeBSD.org (Postfix) with SMTP id E785D43FF2 for ; Thu, 6 Nov 2003 03:06:05 -0800 (PST) (envelope-from ac@latnet.lv) Received: (qmail 1306 invoked by uid 64014); 6 Nov 2003 11:06:04 -0000 Received: from ac@latnet.lv by mail by uid 64011 with qmail-scanner-1.16 (clamscan: 0.54. Clear:. Processed in 1.012002 secs); 06 Nov 2003 11:06:04 -0000 Received: from unknown (HELO artis) (159.148.107.1) by mail.latnet.lv with SMTP; 6 Nov 2003 11:06:03 -0000 From: "Artis Caune" To: Date: Thu, 6 Nov 2003 13:04:31 +0200 Organization: Latnet MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOkVcESgGV4G1+cRX6QPq8UZluBdw== X-Qmail-Scanner-Message-ID: <10681167635261277@mail> Message-Id: <20031106110605.E785D43FF2@mx1.FreeBSD.org> Subject: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 11:06:07 -0000 Hello, We have about 10000-20000 pipes for different subnets, and it takes very long time to load them - about 10-15min. 92.8% interrupt, 0.0% idle strange that things slow down when count reaches 2000-2500 rules. is there something we can do to speed things up? rules are added like: ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 ipfw pipe 1 config bw 30Kbytes/s queue 10 ... soo 'ipfw' is invoked '2 x client_count' !!! maybe ipfw need feature like: ipfw -f /etc/rc.firewall # FreeBSD-4.9, IPFW2, # HZ=2000, DEVICE_POLLING, # 1G RAM, 2.4xeon on Intel server board ..... Artis From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 6 03:39:20 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9253E16A4CE for ; Thu, 6 Nov 2003 03:39:20 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1DF443FA3 for ; Thu, 6 Nov 2003 03:39:19 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id hA6BdJFw065757; Thu, 6 Nov 2003 03:39:19 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id hA6BdJBg065756; Thu, 6 Nov 2003 03:39:19 -0800 (PST) (envelope-from rizzo) Date: Thu, 6 Nov 2003 03:39:19 -0800 From: Luigi Rizzo To: Artis Caune Message-ID: <20031106033919.A65661@xorpc.icir.org> References: <20031106110605.E785D43FF2@mx1.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031106110605.E785D43FF2@mx1.FreeBSD.org>; from ac@latnet.lv on Thu, Nov 06, 2003 at 01:04:31PM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 11:39:20 -0000 most likely, because you are not using "-n", the printing code will use the nameserver to try and resolve addresses, and if halfway through you are limiting/blocking access to the nameserver you incur in timeouts. To tell the truth i suspect you have a quite poorly designed ruleset if you are adding individual rules and pipes for each client. Almost surely you should make use of masks in pipes, and address sets in rules, to reduce the size of your ruleset to something manageable and efficient. cheers luigi On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: > Hello, > > We have about 10000-20000 pipes for > different subnets, and it takes very long > time to load them - about 10-15min. > > 92.8% interrupt, 0.0% idle > > strange that things slow down when count > reaches 2000-2500 rules. > > is there something we can do to speed things up? > > rules are added like: > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > ipfw pipe 1 config bw 30Kbytes/s queue 10 > ... > soo 'ipfw' is invoked '2 x client_count' !!! > > maybe ipfw need feature like: > ipfw -f /etc/rc.firewall > > > > # FreeBSD-4.9, IPFW2, > # HZ=2000, DEVICE_POLLING, > # 1G RAM, 2.4xeon on Intel server board > > > > > > ..... > Artis > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 6 05:36:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7070016A4CE for ; Thu, 6 Nov 2003 05:36:53 -0800 (PST) Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id A214A43FD7 for ; Thu, 6 Nov 2003 05:36:49 -0800 (PST) (envelope-from ino-qc@spotteswoode.de.eu.org) Received: from [194.97.55.148] (helo=mx5.freenet.de) by mout1.freenet.de with asmtp (Exim 4.24) id 1AHkJc-0004Kg-95 for freebsd-ipfw@FreeBSD.org; Thu, 06 Nov 2003 14:36:48 +0100 Received: from pd9501624.dip.t-dialin.net ([217.80.22.36] helo=spotteswoode.dnsalias.org) by mx5.freenet.de with asmtp (ID inode@freenet.de) (Exim 4.24 #2) id 1AHkJb-0004KN-Th for freebsd-ipfw@FreeBSD.org; Thu, 06 Nov 2003 14:36:48 +0100 Received: (qmail 77122 invoked by uid 0); 6 Nov 2003 13:37:08 -0000 Date: 6 Nov 2003 14:36:46 +0100 Message-ID: From: "Clemens Fischer" To: "Artis Caune" In-Reply-To: <20031106110605.E785D43FF2@mx1.FreeBSD.org> (Artis Caune's message of "Thu, 6 Nov 2003 13:04:31 +0200") References: <20031106110605.E785D43FF2@mx1.FreeBSD.org> User-Agent: Gnus/5.1003 (Gnus v5.10.3) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@FreeBSD.org Subject: Re: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 13:36:53 -0000 * Artis Caune: > rules are added like: > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > ipfw pipe 1 config bw 30Kbytes/s queue 10 > ... > soo 'ipfw' is invoked '2 x client_count' !!! why don't you just prepare the rules in a file and load that in one single invocation of ipfw(8)? like so: --8<---cut here:--start--->8-- #!/bin/sh # $Header: /l/dns/RCS/fw.sh,v 1.11 2003/09/25 01:33:44 root Exp root $ # outside interface oif1="${2:-tun0}" ... fw_rules="/l/dns/fw.current" fw_rules_X="${fw_rules}_X" lock="lockf -s -t 55 ${fw_rules_X}" ${lock} /bin/cat > "$fw_rules" << EEOOFF || die "${notok}" "$0: cannot lock fw input" add deny ip from any to 127.0.0.0/8 in recv ${oif1} add deny ip from 127.0.0.0/8 to any out xmit ${oif1} add allow ip from any to any via lo0 ... # Deny all the rest. add 65400 deny $Lllog ip from any to any # EEOOFF $fw -q flush ${lock} $fw -q "$fw_rules" || die "${notok}" "$0: cannot lock ipfw" exit $? --8<---cut here:---end---->8-- > maybe ipfw need feature like: > ipfw -f /etc/rc.firewall well, the man page is a swell reading in cases like this. it even describes options on the usage of preprocessors in this really old feature: "ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname". clemens From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 6 13:47:57 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5C9F16A4CE for ; Thu, 6 Nov 2003 13:47:57 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7110C4400F for ; Thu, 6 Nov 2003 13:47:56 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 488F21FF90C; Thu, 6 Nov 2003 22:47:54 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id BA72C1FF8FA; Thu, 6 Nov 2003 22:47:52 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 01469154E2; Thu, 6 Nov 2003 21:47:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id EAE4C15329; Thu, 6 Nov 2003 21:47:44 +0000 (UTC) Date: Thu, 6 Nov 2003 21:47:44 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: freebsd-ipfw@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300 cc: Luigi Rizzo cc: patch@zabbadoz.net cc: Hajimu UMEMOTO Subject: HEAD ip_fw2 ipsec b0rked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2003 21:47:57 -0000 Hi, 1) when someone fixes the panic: ipsec_gethist: obsolete API in netinet/ip_fw2.c 2) can you please also add the opt_ipsec.h from http://www.freebsd.org/cgi/query-pr.cgi?pr=58899 resp. review this __untested__ patch: --- compile-crisco-20031106-1650/sys/netinet/ip_fw2.c.orig Thu Nov 6 16:58:59 2003 +++ compile-crisco-20031106-1650/sys/netinet/ip_fw2.c Thu Nov 6 21:45:03 2003 @@ -37,6 +37,7 @@ #include "opt_ipdn.h" #include "opt_ipdivert.h" #include "opt_inet.h" +#include "opt_ipsec.h" #ifndef INET #error IPFIREWALL requires INET. #endif /* INET */ @@ -1938,7 +1939,7 @@ PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); #endif #ifdef IPSEC - match = (ipsec_gethist(m, NULL) != NULL); + match = (ipsec_getnhist(m) != NULL); #endif /* otherwise no match */ break; @@ -2548,7 +2549,9 @@ case O_TCPOPTS: case O_ESTAB: case O_VERREVPATH: +#if defined(IPSEC) || defined(FAST_IPSEC) case O_IPSEC: +#endif if (cmdlen != F_INSN_SIZE(ipfw_insn)) goto bad_size; break; -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 7 03:36:52 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02B6A16A4CE for ; Fri, 7 Nov 2003 03:36:52 -0800 (PST) Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 557E443F75 for ; Fri, 7 Nov 2003 03:36:45 -0800 (PST) (envelope-from ari@suutari.iki.fi) Received: from raisa (raisa.lemi.suutari.iki.fi [192.168.53.2]) by osku.suutari.iki.fi (8.12.8p1/8.12.8) with SMTP id hA7Bacdf021510; Fri, 7 Nov 2003 13:36:39 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <001501c3a524$8bc40170$0235a8c0@raisa> From: "Ari Suutari" To: "Bjoern A. Zeeb" , References: Date: Fri, 7 Nov 2003 13:44:45 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 cc: Luigi Rizzo cc: patch@zabbadoz.net cc: Hajimu UMEMOTO Subject: Re: HEAD ip_fw2 ipsec b0rked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 11:36:52 -0000 Hi, > Hi, > > 1) when someone fixes the > panic: ipsec_gethist: obsolete API > in netinet/ip_fw2.c I think that ipsec_gethist is being called from ip_input also, so if it is going to be obsolete the new way can be found there. Or do you mean that only then second parameter is now obsolete ? (Apparently someone is merging things from kame tree ?) Ari S. From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 7 04:03:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4A8716A4CE for ; Fri, 7 Nov 2003 04:03:42 -0800 (PST) Received: from cheer.mahoroba.org (flets19-018.kamome.or.jp [218.45.19.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFDF943FBF for ; Fri, 7 Nov 2003 04:03:35 -0800 (PST) (envelope-from ume@mahoroba.org) Received: from lyrics.mahoroba.org (IDENT:ttk8kGbO1UvJEbtAslre8Q3EziHQGRJ+0PpYr0+ZFfkQ6ib3ajXu53Ya32v9NfdG@lyrics.mahoroba.org [IPv6:3ffe:501:185b:8010:280:88ff:fe03:4841]) (user=ume mech=CRAM-MD5 bits=0)hA7C2fEU096040 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Nov 2003 21:02:44 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Fri, 07 Nov 2003 21:02:41 +0900 Message-ID: From: Hajimu UMEMOTO To: "Ari Suutari" In-Reply-To: <001501c3a524$8bc40170$0235a8c0@raisa> References: <001501c3a524$8bc40170$0235a8c0@raisa> User-Agent: xcite1.38> Wanderlust/2.11.3 (Wonderwall) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 5.1-CURRENT MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on cheer.mahoroba.org cc: "Bjoern A. Zeeb" cc: Luigi Rizzo cc: patch@zabbadoz.net cc: Hajimu UMEMOTO cc: freebsd-ipfw@freebsd.org Subject: Re: HEAD ip_fw2 ipsec b0rked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 12:03:42 -0000 Hi, >>>>> On Fri, 7 Nov 2003 13:44:45 +0200 >>>>> "Ari Suutari" said: > 1) when someone fixes the > panic: ipsec_gethist: obsolete API > in netinet/ip_fw2.c ari> I think that ipsec_gethist is being called from ip_input ari> also, so if it is going to be obsolete the new way can ari> be found there. Or do you mean that only ari> then second parameter is now obsolete ? Yes, ipsec_gethist() was obsoleted and replaced by ipsec_getnhist() during KAME merge. Calling ipsec_gethist() in ip_input.c which you mentioned was already replaced by ipsec_getnhist(). However, I didn't noticed that ipsec_gethist() is called in ip_fw2.c. ari> (Apparently someone is merging things from kame ari> tree ?) Yes, I did. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 7 04:26:35 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81CA516A4CF for ; Fri, 7 Nov 2003 04:26:35 -0800 (PST) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01F6043F85 for ; Fri, 7 Nov 2003 04:26:33 -0800 (PST) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 7102A1FF931; Fri, 7 Nov 2003 13:26:30 +0100 (CET) Received: by transport.cksoft.de (Postfix, from userid 66) id CB22C1FF907; Fri, 7 Nov 2003 13:26:28 +0100 (CET) Received: by mail.int.zabbadoz.net (Postfix, from userid 1060) id 6202A1538F; Fri, 7 Nov 2003 12:26:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.int.zabbadoz.net (Postfix) with ESMTP id 57E2F15384; Fri, 7 Nov 2003 12:26:12 +0000 (UTC) Date: Fri, 7 Nov 2003 12:26:12 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@e0-0.zab2.int.zabbadoz.net To: Hajimu UMEMOTO In-Reply-To: Message-ID: References: <001501c3a524$8bc40170$0235a8c0@raisa> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300 cc: Luigi Rizzo cc: freebsd-ipfw@freebsd.org Subject: Re: HEAD ip_fw2 ipsec b0rked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 12:26:35 -0000 On Fri, 7 Nov 2003, Hajimu UMEMOTO wrote: Hi, > Yes, ipsec_gethist() was obsoleted and replaced by ipsec_getnhist() > during KAME merge. Calling ipsec_gethist() in ip_input.c which you > mentioned was already replaced by ipsec_getnhist(). I had seen this after I got the "nice" panic(); > However, I didn't > noticed that ipsec_gethist() is called in ip_fw2.c. Either removing the f() entirely will make people notice it at compile time that s.th. is missing or running a find over the src tree will let you find these functions but giving a panic() isn't that nice ;-)) Perhaps Luigi or you culd review my patch and commit it so that both problems get fixed at ones because fixing one will not help making the other work in ip_fw2.c. -- Greetings Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT 56 69 73 69 74 http://www.zabbadoz.net/ From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 7 09:28:26 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED31816A4CE for ; Fri, 7 Nov 2003 09:28:26 -0800 (PST) Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 923C543FEA for ; Fri, 7 Nov 2003 09:28:24 -0800 (PST) (envelope-from ari@suutari.iki.fi) Received: from suutari.iki.fi (instant.lemi.suutari.iki.fi [192.168.53.130]) by osku.suutari.iki.fi (8.12.8p1/8.12.8) with ESMTP id hA7HSJdf022230; Fri, 7 Nov 2003 19:28:20 +0200 (EET) (envelope-from ari@suutari.iki.fi) Message-ID: <3FABD61F.8080306@suutari.iki.fi> Date: Fri, 07 Nov 2003 19:27:59 +0200 From: Ari Suutari User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <001501c3a524$8bc40170$0235a8c0@raisa> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: Luigi Rizzo cc: Hajimu UMEMOTO cc: freebsd-ipfw@freebsd.org Subject: Re: HEAD ip_fw2 ipsec b0rked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 17:28:27 -0000 Bjoern A. Zeeb wrote: > Perhaps Luigi or you culd review my patch and commit it so that both > problems get fixed at ones because fixing one will not help making the > other work in ip_fw2.c. > Just if someone feels unsure about the patch: It looks ok at least to me (if I can say anything after introducing the first bug...) Ari S. From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 7 12:51:51 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D7F416A4CE for ; Fri, 7 Nov 2003 12:51:51 -0800 (PST) Received: from cheer.mahoroba.org (flets19-018.kamome.or.jp [218.45.19.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id B05C743F85 for ; Fri, 7 Nov 2003 12:51:49 -0800 (PST) (envelope-from ume@mahoroba.org) Received: from lyrics.mahoroba.org (IDENT:tlXxe6V2RmZUIRelpCj6xd2G1ygc7cDjwULE/fbree4EY1Evv78DeITy7ZGkQ/g9@lyrics.mahoroba.org [IPv6:3ffe:501:185b:8010:280:88ff:fe03:4841]) (user=ume mech=CRAM-MD5 bits=0)hA7KotEU009017 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 8 Nov 2003 05:50:58 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Sat, 08 Nov 2003 05:50:55 +0900 Message-ID: From: Hajimu UMEMOTO To: "Bjoern A. Zeeb" In-Reply-To: References: <001501c3a524$8bc40170$0235a8c0@raisa> User-Agent: xcite1.38> Wanderlust/2.11.3 (Wonderwall) SEMI/1.14.5 (Awara-Onsen) FLIM/1.14.5 (Demachiyanagi) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 5.1-CURRENT MIME-Version: 1.0 (generated by SEMI 1.14.5 - "Awara-Onsen") Content-Type: text/plain; charset=US-ASCII X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on cheer.mahoroba.org cc: Luigi Rizzo cc: Hajimu UMEMOTO cc: freebsd-ipfw@freebsd.org Subject: Re: HEAD ip_fw2 ipsec b0rked X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2003 20:51:51 -0000 Hi, >>>>> On Fri, 7 Nov 2003 12:26:12 +0000 (UTC) >>>>> "Bjoern A. Zeeb" said: bzeeb-lists> Either removing the f() entirely will make people notice it at compile bzeeb-lists> time that s.th. is missing bzeeb-lists> or running a find over the src tree will let you find these functions bzeeb-lists> but giving a panic() isn't that nice ;-)) I've just committed to nuke obsoleted ipsec_gethist(). However, since opt_ipsec.h is not included, IPsec code is not compiled in. So, it cannot detect this case. ;) bzeeb-lists> Perhaps Luigi or you culd review my patch and commit it so that both bzeeb-lists> problems get fixed at ones because fixing one will not help making the bzeeb-lists> other work in ip_fw2.c. Since I dunno if it is intentional or not that it doesn't activate IPsec code, I didn't change to include opt_ipsec.h. I believe best person is Luigi. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/