From owner-freebsd-ipfw@FreeBSD.ORG Sun Apr 29 19:02:05 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 931EF16A406; Sun, 29 Apr 2007 19:02:05 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 68F1E13C44B; Sun, 29 Apr 2007 19:02:05 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3TJ25v2045609; Sun, 29 Apr 2007 19:02:05 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3TJ25PT045605; Sun, 29 Apr 2007 19:02:05 GMT (envelope-from linimon) Date: Sun, 29 Apr 2007 19:02:05 GMT From: Mark Linimon Message-Id: <200704291902.l3TJ25PT045605@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/112244: [ipfw] [patch] Incorrect output of rule with the MAC option X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Apr 2007 19:02:05 -0000 Synopsis: [ipfw] [patch] Incorrect output of rule with the MAC option Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sun Apr 29 19:01:52 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=112244 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 30 10:03:30 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 97F6116A402 for ; Mon, 30 Apr 2007 10:03:30 +0000 (UTC) (envelope-from bzeeb+freebsd+lor@zabbadoz.net) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 5AB3413C480 for ; Mon, 30 Apr 2007 10:03:30 +0000 (UTC) (envelope-from bzeeb+freebsd+lor@zabbadoz.net) Received: from transport.cksoft.de (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id 8DD221FFEAA; Mon, 30 Apr 2007 11:35:09 +0200 (CEST) Received: by transport.cksoft.de (Postfix, from userid 66) id 73EFF1FFE4B; Mon, 30 Apr 2007 11:35:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 70586444900; Mon, 30 Apr 2007 09:30:13 +0000 (UTC) Date: Mon, 30 Apr 2007 09:30:13 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: t_tolstoy@nuos.edu.ua In-Reply-To: <3333.192.168.30.153.1177528779.squirrel@192.168.1.2> Message-ID: <20070430092532.O36917@maildrop.int.zabbadoz.net> References: <3333.192.168.30.153.1177528779.squirrel@192.168.1.2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by AMaViS cksoft-s20020300-20031204bz on transport.cksoft.de Cc: FreeBSD ipfw mailing list Subject: Re: LOR report -- FreeBSD 7.0-CURRENT-200701 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2007 10:03:30 -0000 On Wed, 25 Apr 2007, t_tolstoy@nuos.edu.ua wrote: Hi, Cc: freebsd-ipfw@ so people know about it. Already discussed uid/gui filtering in private. > Here is complete report about LOR that seems to leads to the network card > hang. ... > Trying to mount root from ufs:/dev/ad0s1a > lock order reversal: > 1st 0xc0ad248c IPFW static rules (IPFW static rules) @ netinet/ip_fw2.c:2641 > 2nd 0xc0ad304c udp (udp) @ netinet/ip_fw2.c:2022 > KDB: stack backtrace: > db_trace_self_wrapper(c09799e5) at db_trace_self_wrapper+0x25 > kdb_backtrace(0,ffffffff,c0a908b8,c0a92258,c0a28144,...) at > kdb_backtrace+0x29 > witness_checkorder(c0ad304c,9,c0987714,7e6) at witness_checkorder+0x586 > _mtx_lock_flags(c0ad304c,0,c098770b,7e6) at _mtx_lock_flags+0x84 > check_uidgid(c1d8b06c,11,0,201a8c0,35,...) at check_uidgid+0xdf > ipfw_chk(c7d3bb58,c1c54d00,0,0,0,...) at ipfw_chk+0xddb > ipfw_check_in(0,c7d3bc5c,c1bf1c00,1,0) at ipfw_check_in+0xca > pfil_run_hooks(c0ad2880,c7d3bcac,c1bf1c00,1,0) at pfil_run_hooks+0x7f > ip_input(c1c54d00) at ip_input+0x241 > netisr_processqueue(c0ad00b8) at netisr_processqueue+0x6e > swi_net(0) at swi_net+0x8c > ithread_execute_handlers(c1ac8b40,c1adc980) at ithread_execute_handlers+0x11e > ithread_loop(c1aa9940,c7d3bd38) at ithread_loop+0x67 > fork_exit(c06aa730,c1aa9940,c7d3bd38) at fork_exit+0xac > fork_trampoline() at fork_trampoline+0x8 > --- trap 0x1, eip = 0, esp = 0xc7d3bd6c, ebp = 0 --- I added this with LOR ID 206 to 'The LOR page' http://sources.zabbadoz.net/freebsd/lor.html#206 Seems to be related to #016. /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 30 11:08:14 2007 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 625E416A41B for ; Mon, 30 Apr 2007 11:08:14 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 526EB13C44B for ; Mon, 30 Apr 2007 11:08:14 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3UB8EkH006952 for ; Mon, 30 Apr 2007 11:08:14 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3UB8C1v006948 for freebsd-ipfw@FreeBSD.org; Mon, 30 Apr 2007 11:08:12 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Apr 2007 11:08:12 GMT Message-Id: <200704301108.l3UB8C1v006948@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2007 11:08:14 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp p conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewal o bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC addr arg wit o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o bin/112244 ipfw [ipfw] [patch] Incorrect output of rule with the MAC o 23 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 30 17:40:25 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 05D9816A404; Mon, 30 Apr 2007 17:40:25 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id D38AC13C4BA; Mon, 30 Apr 2007 17:40:24 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3UHeORU035154; Mon, 30 Apr 2007 17:40:24 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3UHeODq035144; Mon, 30 Apr 2007 17:40:24 GMT (envelope-from maxim) Date: Mon, 30 Apr 2007 17:40:24 GMT From: Maxim Konovalov Message-Id: <200704301740.l3UHeODq035144@freefall.freebsd.org> To: bu7cher@yandex.ru, maxim@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/112244: [ipfw] [patch] Incorrect output of rule with the MAC option X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2007 17:40:25 -0000 Synopsis: [ipfw] [patch] Incorrect output of rule with the MAC option State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Mon Apr 30 17:39:55 UTC 2007 State-Changed-Why: Fixed in HEAD. Thanks for the patch! http://www.freebsd.org/cgi/query-pr.cgi?pr=112244 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 30 17:44:23 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 78BFC16A401; Mon, 30 Apr 2007 17:44:23 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 4BE9113C4BD; Mon, 30 Apr 2007 17:44:23 +0000 (UTC) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l3UHiNtl035489; Mon, 30 Apr 2007 17:44:23 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l3UHiNSA035485; Mon, 30 Apr 2007 17:44:23 GMT (envelope-from maxim) Date: Mon, 30 Apr 2007 17:44:23 GMT From: Maxim Konovalov Message-Id: <200704301744.l3UHiNSA035485@freefall.freebsd.org> To: maxim@FreeBSD.org, freebsd-ipfw@FreeBSD.org, maxim@FreeBSD.org Cc: Subject: Re: bin/112244: [ipfw] [patch] Incorrect output of rule with the MAC option X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2007 17:44:23 -0000 Synopsis: [ipfw] [patch] Incorrect output of rule with the MAC option Responsible-Changed-From-To: freebsd-ipfw->maxim Responsible-Changed-By: maxim Responsible-Changed-When: Mon Apr 30 17:43:43 UTC 2007 Responsible-Changed-Why: MFC reminder and feedbacks trap. http://www.freebsd.org/cgi/query-pr.cgi?pr=112244 From owner-freebsd-ipfw@FreeBSD.ORG Tue May 1 07:01:23 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B9D516A406 for ; Tue, 1 May 2007 07:01:23 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from thunder.lsstelecom.ro (thunder.lsstelecom.ro [194.117.236.32]) by mx1.freebsd.org (Postfix) with ESMTP id 8662413C484 for ; Tue, 1 May 2007 07:01:21 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: (qmail 20670 invoked by uid 1007); 1 May 2007 07:57:20 +0300 Received: from 6.112.158.88.radiocom.ro (HELO localhost) (vladone@spaingsm.com@88.158.112.6) by mail.lsstelecom.ro with SMTP; 1 May 2007 07:57:20 +0300 Date: Tue, 1 May 2007 10:02:04 +0300 From: Fratiman Vladut X-Mailer: The Bat! (v3.80.03) Professional Organization: home X-Priority: 3 (Normal) Message-ID: <341379168.20070501100204@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <200704262206.44161.asstec@matik.com.br> References: <937e203f0704261554i701849d4j6ecf265490d8252b@mail.gmail.com> <200704262206.44161.asstec@matik.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re[2]: ipfw with nat - allowing by MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Fratiman Vladut List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 May 2007 07:01:23 -0000 Test this: ipfw add 190 allow ip from any to any layer2 mac-type arp $cmd add 192 skipto 201 MAC any xx:xx:xx:xx:xx:xx in via $pif layer2 ......................................................................................................................................... $cmd add 200 deny MAC any any in recv $pif layer2 This is part from a sh script where $pif is an variable that represent your private interface (ex. pif="fxp0"), and cmd="/sbin/ipfw -q" Rule 190 allow arp broadcast traffic. Without this rule traffic will be blocked after few minutes. Rules from 192 to 199 (obviously u can put any number) contain mac's that u want to allow. Rules 200 block all rest of traffic with wrong mac. Be careful if u want to make traffic shaping, because with layer 2 activated, packets are filtered twice, at ip level and mac level. My sincerely recommendation is to use pppoe. Is easy to implement with mpd4 and is secure. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 3 04:40:11 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5FB2B16A402 for ; Thu, 3 May 2007 04:40:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 4483413C44C for ; Thu, 3 May 2007 04:40:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l434eAZI069784 for ; Thu, 3 May 2007 04:40:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l434eAG1069782; Thu, 3 May 2007 04:40:10 GMT (envelope-from gnats) Date: Thu, 3 May 2007 04:40:10 GMT Message-Id: <200705030440.l434eAG1069782@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Andrey V. Elsukov" Cc: Subject: Re: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Andrey V. Elsukov" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 May 2007 04:40:11 -0000 The following reply was made to PR bin/80913; it has been noted by GNATS. From: "Andrey V. Elsukov" To: bug-followup@FreeBSD.org, gfb@vta.com, Maxim Konovalov Cc: Subject: Re: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters Date: Thu, 03 May 2007 08:38:01 +0400 This is a multi-part message in MIME format. --------------080506050005050409040606 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Hi, can you test the following patch? (for CURRENT or RELENG_6) -- WBR, Andrey V. Elsukov --------------080506050005050409040606 Content-Type: text/plain; name="ipfw2.c.diff.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw2.c.diff.txt" --- src/sbin/ipfw/ipfw2.c Wed Apr 18 18:03:08 2007 +++ src/sbin/ipfw/ipfw2.c Wed May 2 20:05:20 2007 @@ -47,6 +47,7 @@ #include #include +#include #include #include #include @@ -4374,36 +4375,51 @@ } static void -get_mac_addr_mask(char *p, uint8_t *addr, uint8_t *mask) +get_mac_addr_mask(const char *p, uint8_t *addr, uint8_t *mask) { int i, l; + char *ap, *ptr, *optr; + struct ether_addr *mac; + const char *macset = "0123456789abcdefABCDEF:"; - for (i=0; i<6; i++) + if (strcmp(p, "any") == 0) { + for (i = 0; i < ETHER_ADDR_LEN; i++) addr[i] = mask[i] = 0; - if (strcmp(p, "any") == 0) return; + } - for (i=0; *p && i<6;i++, p++) { - addr[i] = strtol(p, &p, 16); - if (*p != ':') /* we start with the mask */ - break; - } - if (*p == '/') { /* mask len */ - l = strtol(p+1, &p, 0); - for (i=0; l>0; l -=8, i++) - mask[i] = (l >=8) ? 0xff : (~0) << (8-l); - } else if (*p == '&') { /* mask */ - for (i=0, p++; *p && i<6;i++, p++) { - mask[i] = strtol(p, &p, 16); - if (*p != ':') - break; + optr = ptr = strdup(p); + if ((ap = strsep(&ptr, "&/")) != NULL && *ap != 0) { + l = strlen(ap); + if (strspn(ap, macset) != l || (mac = ether_aton(ap)) == NULL) + errx(EX_DATAERR, "Incorrect MAC address"); + bcopy(mac, addr, ETHER_ADDR_LEN); + } else + errx(EX_DATAERR, "Incorrect MAC address"); + + if (ptr != NULL) { /* we have mask? */ + if (p[ptr - optr - 1] == '/') { /* mask len */ + l = strtol(ptr, &ap, 10); + if (*ap != 0 || l > ETHER_ADDR_LEN * 8 || l < 0) + errx(EX_DATAERR, "Incorrect mask length"); + for (i = 0; l > 0 && i < ETHER_ADDR_LEN; l -=8, i++) + mask[i] = (l >= 8) ? 0xff: (~0) << (8 - l); + } else { /* mask */ + l = strlen(ptr); + if (strspn(ptr, macset) != l || + (mac = ether_aton(ptr)) == NULL) + errx(EX_DATAERR, "Incorrect mask"); + bcopy(mac, mask, ETHER_ADDR_LEN); } - } else if (*p == '\0') { - for (i=0; i<6; i++) + } else { /* default mask: ff:ff:ff:ff:ff:ff */ + for (i = 0; i < ETHER_ADDR_LEN; i++) mask[i] = 0xff; } - for (i=0; i<6; i++) + + for (i = 0; i < ETHER_ADDR_LEN; i++) addr[i] &= mask[i]; + + free(optr); } /* --------------080506050005050409040606-- From owner-freebsd-ipfw@FreeBSD.ORG Thu May 3 04:40:15 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1E8B516A4D2 for ; Thu, 3 May 2007 04:40:15 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id CC0A513C448 for ; Thu, 3 May 2007 04:40:14 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l434eEwK069829 for ; Thu, 3 May 2007 04:40:14 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l434eEL9069828; Thu, 3 May 2007 04:40:14 GMT (envelope-from gnats) Date: Thu, 3 May 2007 04:40:14 GMT Message-Id: <200705030440.l434eEL9069828@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Andrey V. Elsukov" Cc: Subject: Re: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Andrey V. Elsukov" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 May 2007 04:40:15 -0000 The following reply was made to PR bin/80913; it has been noted by GNATS. From: "Andrey V. Elsukov" To: bug-followup@FreeBSD.org, gfb@vta.com, Maxim Konovalov Cc: Subject: Re: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters Date: Thu, 03 May 2007 08:36:27 +0400 This is a multi-part message in MIME format. --------------030401010501060202090501 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Hi, can you test the following patch? -- WBR, Andrey V. Elsukov --------------030401010501060202090501 Content-Type: text/plain; name="ipfw2.c.diff.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw2.c.diff.txt" --- src/sbin/ipfw/ipfw2.c Wed Apr 18 18:03:08 2007 +++ src/sbin/ipfw/ipfw2.c Wed May 2 20:05:20 2007 @@ -47,6 +47,7 @@ #include #include +#include #include #include #include @@ -4374,36 +4375,51 @@ } static void -get_mac_addr_mask(char *p, uint8_t *addr, uint8_t *mask) +get_mac_addr_mask(const char *p, uint8_t *addr, uint8_t *mask) { int i, l; + char *ap, *ptr, *optr; + struct ether_addr *mac; + const char *macset = "0123456789abcdefABCDEF:"; - for (i=0; i<6; i++) + if (strcmp(p, "any") == 0) { + for (i = 0; i < ETHER_ADDR_LEN; i++) addr[i] = mask[i] = 0; - if (strcmp(p, "any") == 0) return; + } - for (i=0; *p && i<6;i++, p++) { - addr[i] = strtol(p, &p, 16); - if (*p != ':') /* we start with the mask */ - break; - } - if (*p == '/') { /* mask len */ - l = strtol(p+1, &p, 0); - for (i=0; l>0; l -=8, i++) - mask[i] = (l >=8) ? 0xff : (~0) << (8-l); - } else if (*p == '&') { /* mask */ - for (i=0, p++; *p && i<6;i++, p++) { - mask[i] = strtol(p, &p, 16); - if (*p != ':') - break; + optr = ptr = strdup(p); + if ((ap = strsep(&ptr, "&/")) != NULL && *ap != 0) { + l = strlen(ap); + if (strspn(ap, macset) != l || (mac = ether_aton(ap)) == NULL) + errx(EX_DATAERR, "Incorrect MAC address"); + bcopy(mac, addr, ETHER_ADDR_LEN); + } else + errx(EX_DATAERR, "Incorrect MAC address"); + + if (ptr != NULL) { /* we have mask? */ + if (p[ptr - optr - 1] == '/') { /* mask len */ + l = strtol(ptr, &ap, 10); + if (*ap != 0 || l > ETHER_ADDR_LEN * 8 || l < 0) + errx(EX_DATAERR, "Incorrect mask length"); + for (i = 0; l > 0 && i < ETHER_ADDR_LEN; l -=8, i++) + mask[i] = (l >= 8) ? 0xff: (~0) << (8 - l); + } else { /* mask */ + l = strlen(ptr); + if (strspn(ptr, macset) != l || + (mac = ether_aton(ptr)) == NULL) + errx(EX_DATAERR, "Incorrect mask"); + bcopy(mac, mask, ETHER_ADDR_LEN); } - } else if (*p == '\0') { - for (i=0; i<6; i++) + } else { /* default mask: ff:ff:ff:ff:ff:ff */ + for (i = 0; i < ETHER_ADDR_LEN; i++) mask[i] = 0xff; } - for (i=0; i<6; i++) + + for (i = 0; i < ETHER_ADDR_LEN; i++) addr[i] &= mask[i]; + + free(optr); } /* --------------030401010501060202090501-- From owner-freebsd-ipfw@FreeBSD.ORG Thu May 3 12:11:51 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D01716A401 for ; Thu, 3 May 2007 12:11:51 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from talk.nabble.com (www.nabble.com [72.21.53.35]) by mx1.freebsd.org (Postfix) with ESMTP id 74C1713C43E for ; Thu, 3 May 2007 12:11:51 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from [72.21.53.38] (helo=jubjub.nabble.com) by talk.nabble.com with esmtp (Exim 4.50) id 1HjaA3-0000fP-6Q for freebsd-ipfw@freebsd.org; Thu, 03 May 2007 05:11:51 -0700 Message-ID: <10303574.post@talk.nabble.com> Date: Thu, 3 May 2007 05:11:51 -0700 (PDT) From: Nicolargo To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: hennion@alcasat.net Subject: IPFW + Bridge + Routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 May 2007 12:11:51 -0000 Hi all, here is y configuration: PC3 | | FW / \ / \ PC1 PC2 FW: FreeBSD 6.2 Interface PC1 and PC2: bridged (172.18.0.254) Interface PC3: Routed (172.16.1.2) PC1: 172.18.0.1 PC2: 172.18.0.2 PC3: 172.16.1.1 Ipfw: ipfw add 1 allow ip from any to any MAC any any ipfw add 2 allow ip from any to any Bridge: net.link.ether.bridge_cfg: net.link.ether.bridge_ipfw: 0 net.link.ether.bridge_ipf: 0 net.link.ether.bridge.config: net.link.ether.bridge.enable: 1 net.link.ether.bridge.predict: 1250 net.link.ether.bridge.dropped: 0 net.link.ether.bridge.packets: 1294 net.link.ether.bridge.ipfw_collisions: 0 net.link.ether.bridge.ipfw_drop: 0 net.link.ether.bridge.copy: 0 net.link.ether.bridge.ipfw: 0 net.link.ether.bridge.ipf: 0 net.link.ether.bridge.debug: 0 net.link.ether.bridge.version: 031224 net.link.bridge.ipfw: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 1 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 1 rc.conf: cloned_interfaces="bridge0" ifconfig_bridge0="addm bge0 addm em0 up" ifconfig_bge0="inet 172.18.0.254 netmask 255.255.255.0" ifconfig_em0="up" ifconfig_em2="inet 172.16.1.2 netmask 255.255.255.0" firewall_enable="YES" firewall_script="/etc/ipfw.rules" The problem is the following: PING PC1 -> PC2 : OK PING PC2 -> PC1: OK PING FW -> ANY: OK PING PC1 -> PC3: NOK PING PC2 -> PC3: NOK PING PC3 -> ANY: NOK During a PING between PC1 and PC3, a tcpdump on the em2 interface shows: 14:10:43.564010 IP 172.18.0.1 > 172.16.1.1: ICMP echo request, id 34831, seq 7993, length 64 14:10:43.564687 IP 172.16.1.1 > 172.18.0.1: ICMP echo reply, id 34831, seq 7993, length 64 but the reply packet is lost in the firewall and never redirected to the bridge0 interface... Any idea ? Nicolas -- View this message in context: http://www.nabble.com/IPFW-%2B-Bridge-%2B-Routing-tf3686063.html#a10303574 Sent from the freebsd-ipfw mailing list archive at Nabble.com. From owner-freebsd-ipfw@FreeBSD.ORG Thu May 3 14:40:07 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 31E8C16A400 for ; Thu, 3 May 2007 14:40:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 21EB713C46C for ; Thu, 3 May 2007 14:40:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l43Ee6Ix012370 for ; Thu, 3 May 2007 14:40:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l43Ee6TA012369; Thu, 3 May 2007 14:40:06 GMT (envelope-from gnats) Date: Thu, 3 May 2007 14:40:06 GMT Message-Id: <200705031440.l43Ee6TA012369@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Guy F. Boyd" Cc: Subject: RE: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Guy F. Boyd" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 May 2007 14:40:07 -0000 The following reply was made to PR bin/80913; it has been noted by GNATS. From: "Guy F. Boyd" To: "'Andrey V. Elsukov'" , , "'Maxim Konovalov'" Cc: Subject: RE: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters Date: Thu, 3 May 2007 10:25:18 -0400 Sure, thanks. May take a few days, ${real_job} and ${dead_car} are conspiring to make ${time} <=0 right now. Guy Boyd > -----Original Message----- > From: Andrey V. Elsukov [mailto:bu7cher@yandex.ru] > Sent: Thursday, May 03, 2007 12:38 AM > To: bug-followup@FreeBSD.org; gfb@vta.com; Maxim Konovalov > Subject: Re: bin/80913: [patch] /sbin/ipfw2 silently discards > MAC addr arg with improper characters > > > Hi, can you test the following patch? (for CURRENT or RELENG_6) > > -- > WBR, Andrey V. Elsukov > From owner-freebsd-ipfw@FreeBSD.ORG Fri May 4 13:51:27 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 19E0816A401 for ; Fri, 4 May 2007 13:51:27 +0000 (UTC) (envelope-from elxanzade@mail.ru) Received: from mx4.mail.ru (fallback.mail.ru [194.67.57.14]) by mx1.freebsd.org (Postfix) with ESMTP id 64E6413C4B8 for ; Fri, 4 May 2007 13:51:23 +0000 (UTC) (envelope-from elxanzade@mail.ru) Received: from mx5.mail.ru (mx5.mail.ru [194.67.23.25]) by mx4.mail.ru (mPOP.Fallback_MX) with ESMTP id 39B39365784 for ; Fri, 4 May 2007 16:16:00 +0400 (MSD) Received: from [62.217.135.82] (port=56270 helo=debian.local) by mx5.mail.ru with asmtp id 1HjwhX-000KoJ-00; Fri, 04 May 2007 16:15:55 +0400 From: Sarkhan Elkhanzade To: Nicolargo In-Reply-To: <10303574.post@talk.nabble.com> References: <10303574.post@talk.nabble.com> Content-Type: text/plain Organization: Azercell JV Date: Fri, 04 May 2007 17:16:13 +0500 Message-Id: <1178280974.4148.2.camel@debian.azercell.com> Mime-Version: 1.0 X-Mailer: Evolution 2.6.3 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW + Bridge + Routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sarxan@elxanzade.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 May 2007 13:51:27 -0000 On Thu, 2007-05-03 at 05:11 -0700, Nicolargo wrote: > Hi all, > > here is y configuration: > > PC3 > | > | > FW > / \ > / \ > PC1 PC2 > > FW: FreeBSD 6.2 > Interface PC1 and PC2: bridged (172.18.0.254) > Interface PC3: Routed (172.16.1.2) > PC1: 172.18.0.1 > PC2: 172.18.0.2 > PC3: 172.16.1.1 > > Ipfw: > ipfw add 1 allow ip from any to any MAC any any > ipfw add 2 allow ip from any to any > > Bridge: > net.link.ether.bridge_cfg: > net.link.ether.bridge_ipfw: 0 > net.link.ether.bridge_ipf: 0 > net.link.ether.bridge.config: > net.link.ether.bridge.enable: 1 > net.link.ether.bridge.predict: 1250 > net.link.ether.bridge.dropped: 0 > net.link.ether.bridge.packets: 1294 > net.link.ether.bridge.ipfw_collisions: 0 > net.link.ether.bridge.ipfw_drop: 0 > net.link.ether.bridge.copy: 0 > net.link.ether.bridge.ipfw: 0 > net.link.ether.bridge.ipf: 0 > net.link.ether.bridge.debug: 0 > net.link.ether.bridge.version: 031224 > net.link.bridge.ipfw: 1 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 1 > net.link.bridge.ipfw_arp: 0 > net.link.bridge.pfil_onlyip: 1 > > rc.conf: > cloned_interfaces="bridge0" > ifconfig_bridge0="addm bge0 addm em0 up" > ifconfig_bge0="inet 172.18.0.254 netmask 255.255.255.0" > ifconfig_em0="up" > ifconfig_em2="inet 172.16.1.2 netmask 255.255.255.0" > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > > The problem is the following: > PING PC1 -> PC2 : OK > PING PC2 -> PC1: OK > PING FW -> ANY: OK > PING PC1 -> PC3: NOK > PING PC2 -> PC3: NOK > PING PC3 -> ANY: NOK > > During a PING between PC1 and PC3, a tcpdump on the em2 interface shows: > 14:10:43.564010 IP 172.18.0.1 > 172.16.1.1: ICMP echo request, id 34831, seq > 7993, length 64 > 14:10:43.564687 IP 172.16.1.1 > 172.18.0.1: ICMP echo reply, id 34831, seq > 7993, length 64 > > but the reply packet is lost in the firewall and never redirected to the > bridge0 interface... > Any idea ? > > Nicolas > Post here "#route print" on FW PC3 PC1 From owner-freebsd-ipfw@FreeBSD.ORG Sat May 5 01:39:52 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 65F6016A400 for ; Sat, 5 May 2007 01:39:52 +0000 (UTC) (envelope-from jazzhills@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.249]) by mx1.freebsd.org (Postfix) with ESMTP id 26FA913C457 for ; Sat, 5 May 2007 01:39:52 +0000 (UTC) (envelope-from jazzhills@gmail.com) Received: by an-out-0708.google.com with SMTP id c24so1055624ana for ; Fri, 04 May 2007 18:39:51 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=fkSv2GiUvpke89GvP2jR5PAEajAce/mRwBpHO7tQQP88j4NiPvjKy3DDmB8W4jbxWOBYs1nc7Z1sXADw6l87xCmtU0RyUm84nIlpJUkdDnPKcbsLiRH1b4xvs79sBuStCANv1dacB1acmX/Ugv5PWE5EvtzFbFTUW7T+hRYHnwM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=mRYXyyptGbyussxml3a8hx6hdikadkvP+YYrW2m0OxQkQnRmi+1VLY54JLq08wZrbfFPidKvjdrPb6MBiHMtPe4AI5qWzAyJHUpOK3mlr3Gpx/Wnx8hTzpLzwA+4JoaLiX7Z1WoKY9e9ZTX+YisP/HhZ4nS1kVEvsSTEWrSqSEE= Received: by 10.100.178.7 with SMTP id a7mr3212844anf.1178327545287; Fri, 04 May 2007 18:12:25 -0700 (PDT) Received: by 10.100.94.8 with HTTP; Fri, 4 May 2007 18:12:25 -0700 (PDT) Message-ID: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> Date: Fri, 4 May 2007 22:12:25 -0300 From: "Jason Hills" To: ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 May 2007 01:39:52 -0000 Hello. How can I do policy routing with ipfw+natd? I started 2 natd processes, using natd.conf and natd2.conf respectively, but things dont work. My rules are: ext_ifi1="em0" ext_ifi2="em1" divert 8668 ip from $net1 to any out via $ext_if1 divert 8669 ip from $net2 to any out via $ext_if2 divert 8668 ip from any to any via $ext_if1 divert 8669 ip from any to any via $ext_if2 My defaultrouter is the one on $ext_if1. It works for port 8668 but doesnt work for 8669 (the second xDSL link) -- Jazzie Hills From owner-freebsd-ipfw@FreeBSD.ORG Sat May 5 04:13:31 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7507716A401 for ; Sat, 5 May 2007 04:13:31 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.freebsd.org (Postfix) with SMTP id AFECD13C447 for ; Sat, 5 May 2007 04:13:29 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 87140 invoked by uid 0); 5 May 2007 01:23:08 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(127.0.0.1):. Processed in 0.761905 secs); 05 May 2007 04:23:08 -0000 Received: from unknown (HELO webmail.freebsdbrasil.com.br) (127.0.0.1) by capeta.freebsdbrasil.com.br with SMTP; 5 May 2007 01:23:07 -0300 X-Squirrel-UserHash: AxkWAwQS X-Squirrel-FromHash: BUtUVAZEUwM= Message-ID: <56951.BUtUVAZEUwM=.1178338987.squirrel@webmail.freebsdbrasil.com.br> In-Reply-To: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> Date: Sat, 5 May 2007 01:23:07 -0300 (BRT) From: "Patrick Tracanelli" To: "Jason Hills" User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 May 2007 04:13:31 -0000 > How can I do policy routing with ipfw+natd? > > I started 2 natd processes, using natd.conf and natd2.conf > respectively, but things dont work. My rules are: Long time ago, PHK added an (undocumented, except for commit logs) feature in natd(8), called "instances". To use it, you can start a config file with the "instance" keyword followed with an identifier, and in a certain moment use the "instance" keyword again, with a second identifier. Each block will create different natd instances which can be used with independent configurations. However they are run by the same proccess. Here is an (production) example: ########################### instance default interface vr0 dynamic yes use_sockets yes same_ports yes unregistered_only yes port 8668 log yes log_denied yes log_ipfw_denied yes #punch_fw 10:39 log_facility security redirect_port tcp 10.69.69.69:2234-2240 2234-2240 redirect_port tcp 10.69.69.39:80 3980 redirect_port tcp 10.69.69.39:6969 3969 redirect_port tcp 10.69.69.13:4662 4662 redirect_port udp 10.69.69.13:4672 4672 ############################### instance interna2 interface xl0 dynamic yes use_sockets no same_ports no unregistered_only yes port 8669 log yes log_denied yes log_ipfw_denied yes #punch_fw 10:39 reverse yes > > ext_ifi1="em0" > ext_ifi2="em1" > > divert 8668 ip from $net1 to any out via $ext_if1 > divert 8669 ip from $net2 to any out via $ext_if2 Wrong concepts here. Since you mentioned the default gateway is on ext_ifi1, packets will never reach ext_if2, so how can it be diverted? According to Cisco's literature: "Policy-based routing provides a tool for forwarding and routing data packets based on policies defined by network administrators. In effect, it is a way to have the policy override routing protocol decisions. Policy-based routing includes a mechanism for selectively applying policies based on access list, packet size or other criteria." So, the above excerpt explains what you should do to DO policy routing: override routing protocol decisions. To do so in your enviroment, divert packets to the second link when they reach the main outgoing interface (tradditional path the packet would flow, according to routing table): divert 8669 ip from $net2 to any out via $ext_if1 Yes, this WILL work. Packets will be diverted to second natd instance when it reaches the main outgoing interface (as main, I want you to read: the one used by default route). So, here you are forgetting another mandatory flow control: you have to send packets from your second-link IP address to your second-link gateway. IPFW´s "fwd" action will do this like a charm =) > > divert 8668 ip from any to any via $ext_if1 > divert 8669 ip from any to any via $ext_if2 > > My defaultrouter is the one on $ext_if1. > > It works for port 8668 but doesnt work for 8669 (the second xDSL link) > > -- > Jazzie Hills -- Patrick Tracanelli (31) 3281 9633 sip://313306@sip.freebsdbrasil.com.br From owner-freebsd-ipfw@FreeBSD.ORG Sat May 5 19:08:38 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4B9FA16A401 for ; Sat, 5 May 2007 19:08:38 +0000 (UTC) (envelope-from jimsiff@yahoo.com) Received: from web55403.mail.re4.yahoo.com (web55403.mail.re4.yahoo.com [206.190.58.197]) by mx1.freebsd.org (Postfix) with SMTP id EFBB413C44C for ; Sat, 5 May 2007 19:08:37 +0000 (UTC) (envelope-from jimsiff@yahoo.com) Received: (qmail 2977 invoked by uid 60001); 5 May 2007 18:41:57 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Message-ID; b=sz7J7ognCp8wcE2SGl371GLvqx0UefrSkqa6H/rLiS3lN1cWpBvje+CZQKH+6pbmeCVDGtlA0Tdueslylp+nC6hv/8L4Mst0GD/Oq2lWJK+o0Er7k/vSqDMvxc3CNAI+EDdwap49kTwU1RRQvoBYKE00gV52bATQlfIELQisigk=; X-YMail-OSG: a6eAt2cVM1k81T63RU2ao_KgJyEbZBUqKY0rKqijLV.O0q55Z4Ddz2Un89A9OKR2mcblRk4nRdA.eMRzHyGJNk6izlp20GFmC5igJrtRF8jXWr1X7GMj5tC6z_DceA-- Received: from [71.59.219.253] by web55403.mail.re4.yahoo.com via HTTP; Sat, 05 May 2007 11:41:57 PDT X-Mailer: YahooMailRC/478 YahooMailWebService/0.7.41.10 Date: Sat, 5 May 2007 11:41:57 -0700 (PDT) From: Jim Sifferle To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-ID: <339646.2974.qm@web55403.mail.re4.yahoo.com> Content-Type: text/plain; charset=ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem applying TOS/DSCP patch in 6.2 RELEASE X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 May 2007 19:08:38 -0000 All, I'm having problems compiling ipfw on 6.2-RELEASE after patching with the TOS / DSCP patch referenced here http://www.freebsd.org/cgi/query-pr.cgi?pr=102471. The patch seems to apply okay with the following output: [root@demon /]# patch -p0 < ipfw_tos_dscp_20060824_1.diff Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |diff -ru src/sbin/ipfw/ipfw.8 /usr/src/sbin/ipfw/ipfw.8 |--- src/sbin/ipfw/ipfw.8 Sat Jul 29 12:24:12 2006 |+++ /usr/src/sbin/ipfw/ipfw.8 Thu Aug 24 10:42:19 2006 -------------------------- Patching file /usr/src/sbin/ipfw/ipfw.8 using Plan A... Hunk #1 succeeded at 817 (offset -6 lines). Hunk #2 succeeded at 1275 (offset -6 lines). Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff -ru src/sbin/ipfw/ipfw2.c /usr/src/sbin/ipfw/ipfw2.c |--- src/sbin/ipfw/ipfw2.c Mon Aug 7 23:32:57 2006 |+++ /usr/src/sbin/ipfw/ipfw2.c Thu Aug 24 10:14:10 2006 -------------------------- Patching file /usr/src/sbin/ipfw/ipfw2.c using Plan A... Hunk #1 succeeded at 133. Hunk #2 succeeded at 301. Hunk #3 succeeded at 337. Hunk #4 succeeded at 404. Hunk #5 succeeded at 443. Hunk #6 succeeded at 1583. Hunk #7 succeeded at 1894. Hunk #8 succeeded at 2674. Hunk #9 succeeded at 2685. Hunk #10 succeeded at 4008 (offset 5 lines). Hunk #11 succeeded at 4506 (offset 5 lines). Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff -ru src/sys/netinet/ip_fw.h /usr/src/sys/netinet/ip_fw.h |--- src/sys/netinet/ip_fw.h Sat Jul 29 12:24:12 2006 |+++ /usr/src/sys/netinet/ip_fw.h Wed Aug 23 17:22:43 2006 -------------------------- Patching file /usr/src/sys/netinet/ip_fw.h using Plan A... Hunk #1 succeeded at 160. Hunk #2 succeeded at 567. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |diff -ru src/sys/netinet/ip_fw2.c /usr/src/sys/netinet/ip_fw2.c |--- src/sys/netinet/ip_fw2.c Sat Jul 29 12:24:12 2006 |+++ /usr/src/sys/netinet/ip_fw2.c Thu Aug 24 10:43:17 2006 -------------------------- Patching file /usr/src/sys/netinet/ip_fw2.c using Plan A... Hunk #1 succeeded at 149 (offset 4 lines). Hunk #2 succeeded at 2470 (offset 28 lines). Hunk #3 succeeded at 2754 (offset 4 lines). Hunk #4 succeeded at 3104 (offset 31 lines). Hunk #5 succeeded at 3702 (offset 4 lines). Hunk #6 succeeded at 3750 (offset 31 lines). Hmm... Ignoring the trailing garbage. done When I run make from /usr/src/sbin/ipfw, I get the following output: [root@demon /usr/src/sbin/ipfw]# make Warning: Object directory not changed from original /usr/src/sbin/ipfw cc -O2 -fno-strict-aliasing -pipe -c ipfw2.c ipfw2.c: In function `show_ipfw': ipfw2.c:1586: error: `O_SET_IPTOS' undeclared (first use in this function) ipfw2.c:1586: error: (Each undeclared identifier is reported only once ipfw2.c:1586: error: for each function it appears in.) ipfw2.c:1589: error: `O_SET_DSCP' undeclared (first use in this function) ipfw2.c:1897: error: `O_IPDSCP' undeclared (first use in this function) ipfw2.c: In function `add': ipfw2.c:4014: error: `O_SET_IPTOS' undeclared (first use in this function) ipfw2.c:4020: error: `O_SET_DSCP' undeclared (first use in this function) ipfw2.c:4514: error: `O_IPDSCP' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/sbin/ipfw. Am I missing some intermediate steps? Thanks for any help... Jim ____________________________________________________________________________________ TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. http://tv.yahoo.com/ From owner-freebsd-ipfw@FreeBSD.ORG Sat May 5 21:23:40 2007 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 502EC16A402 for ; Sat, 5 May 2007 21:23:40 +0000 (UTC) (envelope-from jazzhills@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.251]) by mx1.freebsd.org (Postfix) with ESMTP id 0E7F713C469 for ; Sat, 5 May 2007 21:23:39 +0000 (UTC) (envelope-from jazzhills@gmail.com) Received: by an-out-0708.google.com with SMTP id d23so31329and for ; Sat, 05 May 2007 14:23:39 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kxaIRWuQhb9DnGM5QTXW5ZFA3p50w+m80nTdClkUfzt6CLltoZ0S01jgABzX1KdOpKHczgPVLpbKuRehgrRzvtmJsSsTn3RKTv4m6Z1DMO03ZelrmtxahS6kSkaY1wM2nt9+3fMXz18weXgpmMENJC7eW7E6q98tszvJEisGUxY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mgryAV8lidjgQ+AXq6GSVEQGmec7Nj2a0gVIJR+yhnRM7ve63mOqDz3u1OnDd28WizPQwbbk+oA4vkXNgLD7IvgLkA6LNpAUe0f9dCgG9QqHRc1/NUIsyOxI9lGdn+3fWT2Udfh/cNeLk/IEyJkT4LLnNjVfUDXGTpJyEBi9Y0w= Received: by 10.100.165.9 with SMTP id n9mr3728632ane.1178400219146; Sat, 05 May 2007 14:23:39 -0700 (PDT) Received: by 10.100.94.8 with HTTP; Sat, 5 May 2007 14:23:39 -0700 (PDT) Message-ID: <33910a2c0705051423j53ad82aem5dc779ecba438d6b@mail.gmail.com> Date: Sat, 5 May 2007 18:23:39 -0300 From: "Jason Hills" To: "Patrick Tracanelli" In-Reply-To: <56951.BUtUVAZEUwM=.1178338987.squirrel@webmail.freebsdbrasil.com.br> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <33910a2c0705041812s2aaf0b62t785e16abc0decee6@mail.gmail.com> <56951.BUtUVAZEUwM=.1178338987.squirrel@webmail.freebsdbrasil.com.br> Cc: ipfw@freebsd.org Subject: Re: Policy Routing natd+ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 May 2007 21:23:40 -0000 On 5/5/07, Patrick Tracanelli wrote: > > How can I do policy routing with ipfw+natd? > > > > I started 2 natd processes, using natd.conf and natd2.conf > > respectively, but things dont work. My rules are: > > Long time ago, PHK added an (undocumented, except for commit logs) featur= e > in natd(8), called "instances". To use it, you can start a config file > with the "instance" keyword followed with an identifier, and in a certain > moment use the "instance" keyword again, with a second identifier. Each > block will create different natd instances which can be used with > independent configurations. However they are run by the same proccess. > > Here is an (production) example: Very good, it worked fine. I am happy I can stop running 2 natds. It was ug= ly. > > To do so in your enviroment, divert packets to the second link when they > reach the main outgoing interface (tradditional path the packet would > flow, according to routing table): > > divert 8669 ip from $net2 to any out via $ext_if1 > > Yes, this WILL work. Packets will be diverted to second natd instance whe= n > it reaches the main outgoing interface (as main, I want you to read: the > one used by default route). It sounds like it worked. Packets hit the rule correctly, but I dont go to Internet. > > So, here you are forgetting another mandatory flow control: you have to > send packets from your second-link IP address to your second-link gateway= . > IPFW=B4s "fwd" action will do this like a charm =3D) I believe this is why I dont get to internet. I didnt understand this ipfw fwd thing you mentioned. Could you give some example? > > > > > divert 8668 ip from any to any via $ext_if1 > > divert 8669 ip from any to any via $ext_if2 > > > > My defaultrouter is the one on $ext_if1. > > > > It works for port 8668 but doesnt work for 8669 (the second xDSL link) > > > > -- > > Jazzie Hills > > > -- > Patrick Tracanelli > (31) 3281 9633 > sip://313306@sip.freebsdbrasil.com.br > > --=20 Jazzie Hills