From owner-freebsd-ipfw@FreeBSD.ORG Sun Sep 5 23:10:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED9F016A4CF for ; Sun, 5 Sep 2004 23:09:59 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72EAB43D2F for ; Sun, 5 Sep 2004 23:09:58 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 26869 invoked from network); 5 Sep 2004 23:06:56 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.54]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 5 Sep 2004 23:06:55 -0000 Message-ID: <413B9CC5.21E7B776@freebsd.org> Date: Mon, 06 Sep 2004 01:09:57 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Brooks Davis References: <20040903215137.GA26762@odin.ac.hmc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 for IPV6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Sep 2004 23:10:00 -0000 Brooks Davis wrote: > > I'm working on updating the IPFW2 for IPv6 patch Luigi posted back in > April. I've got it partially working with pfil, but I've run into some > issues with linklocal addresses and dummynet6. Inbound rules work fine, > but output rules do not because the route struct is not carried in to > the pfil hook and thus the output interface is lost. You are supposed to give the output interface as an argument to pfil_run_ hooks(). Doesn't that sufficise? > I'm looking for comments on the best way to solve this problem. I don't > know IPv6 all that well, so I'm not sure what to propose. Neither me but I noticed that in IPv6 there are three places where pfils are connected. That doesn't make sense to me. I guess the best thing is to involve into this. He's cutting his teeth on the IPv6 code and this is probably something he can give some insights. > The work is being done in perforce at: > > //depot/user/brooks/dummynet6 > > I've included a patch against current below. Be aware that you must > run with debug.mpsafenet=0 if you want to try IPv6 output rules. The > current code doesn't handle the case where the firewall changes the > destination, but modulo bugs, we are probably at feature parity with > ip6fw. Repeat after me with the voice of Gollum "must not reference or carry on any pointers to rtentry's through ipfw or dummynet... my preciousss...". ;-) PS: What about ipfw6? -- Andre > -- Brooks > > Changed files: > sbin/ipfw/ipfw2.c > sys/netinet/ip_dummynet.c > sys/netinet/ip_dummynet.h > sys/netinet/ip_fw.h > sys/netinet/ip_fw2.c > sys/netinet/ip_fw_pfil.c > > --- ../cleanup/sbin/ipfw/ipfw2.c Wed Sep 1 08:01:19 2004 > +++ sbin/ipfw/ipfw2.c Thu Sep 2 16:40:48 2004 > @@ -45,10 +45,12 @@ > #include > > #include > +#include /* def. of struct route */ > #include > #include > #include > #include > +#include > #include > #include > #include > @@ -253,6 +255,13 @@ > TOK_DROPTAIL, > TOK_PROTO, > TOK_WEIGHT, > + > + TOK_IPV6, > + TOK_FLOWID, > + TOK_ICMP6TYPES, > + TOK_EXT6HDR, > + TOK_DSTIP6, > + TOK_SRCIP6, > }; > > struct _s_x dummynet_params[] = { > @@ -275,6 +284,13 @@ > { "delay", TOK_DELAY }, > { "pipe", TOK_PIPE }, > { "queue", TOK_QUEUE }, > + > + { "flow-id", TOK_FLOWID}, > + { "dst-ipv6", TOK_DSTIP6}, > + { "dst-ip6", TOK_DSTIP6}, > + { "src-ipv6", TOK_SRCIP6}, > + { "src-ip6", TOK_SRCIP6}, > + > { "dummynet-params", TOK_NULL }, > { NULL, 0 } /* terminator */ > }; > @@ -299,6 +315,7 @@ > { "unreach", TOK_UNREACH }, > { "check-state", TOK_CHECKSTATE }, > { "//", TOK_COMMENT }, > + > { NULL, 0 } /* terminator */ > }; > > @@ -352,6 +369,16 @@ > { "ipsec", TOK_IPSEC }, > { "//", TOK_COMMENT }, > > + { "icmp6type", TOK_ICMP6TYPES }, > + { "icmp6types", TOK_ICMP6TYPES }, > + { "ext6hdr", TOK_EXT6HDR}, > + { "flow-id", TOK_FLOWID}, > + { "ipv6", TOK_IPV6}, > + { "dst-ipv6", TOK_DSTIP6}, > + { "dst-ip6", TOK_DSTIP6}, > + { "src-ipv6", TOK_SRCIP6}, > + { "src-ip6", TOK_SRCIP6}, > + > { "not", TOK_NOT }, /* pseudo option */ > { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ > { "or", TOK_OR }, /* pseudo option */ > @@ -848,6 +875,196 @@ > } > } > > +/* XXX ipv6 stuff */ > +/* > + * Print the ip address contained in a command. > + */ > +static void > +print_ip6(ipfw_insn_ip6 *cmd, char const *s) > +{ > + struct hostent *he = NULL; > + int len = F_LEN((ipfw_insn *) cmd) - 1; > + struct in6_addr *a = &(cmd->addr6); > + char trad[255]; > + > + printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s); > + > + if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) { > + printf("me6"); > + return; > + } > + if (cmd->o.opcode == O_IP6) { > + printf(" ipv6"); > + return; > + } > + > + /* > + * len == 4 indicates a single IP, whereas lists of 1 or more > + * addr/mask pairs have len = (2n+1). We convert len to n so we > + * use that to count the number of entries. > + */ > + > + for (len = len / 4; len > 0; len -= 2, a += 2) { > + int mb = /* mask length */ > + (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ? > + 128 : contigmask((uint8_t *)&(a[1]), 128); > + > + if (mb == 128 && do_resolv) > + he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6); > + if (he != NULL) /* resolved to name */ > + printf("%s", he->h_name); > + else if (mb == 0) /* any */ > + printf("any"); > + else { /* numeric IP followed by some kind of mask */ > + if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) == NULL) > + printf("Error ntop in print_ip6\n"); > + printf("%s", trad ); > + if (mb < 0) /* XXX not really legal... */ > + printf(":%s", > + inet_ntop(AF_INET6, &a[1], trad, sizeof(trad))); > + else if (mb < 128) > + printf("/%d", mb); > + } > + if (len > 2) > + printf(","); > + } > +} > + > +static void > +fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av) > +{ > + uint8_t type; > + > + cmd->d[0] = 0; > + while (*av) { > + if (*av == ',') > + av++; > + type = strtoul(av, &av, 0); > + if (*av != ',' && *av != '\0') > + errx(EX_DATAERR, "invalid ICMP6 type"); > + if (type > ICMP6_MAXTYPE) > + errx(EX_DATAERR, "ICMP6 type out of range"); > + cmd->d[type / 32] |= ( 1 << (type % 32)); > + } > + cmd->o.opcode = O_ICMP6TYPE; > + cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6); > +} > + > + > +static void > +print_icmp6types(ipfw_insn_u32 *cmd) > +{ > + int i, j; > + char sep= ' '; > + > + printf(" ipv6 icmp6types"); > + for (i = 0; i < 7; i++) > + for (j=0; j < 32; ++j) { > + if ( (cmd->d[i] & (1 << (j))) == 0) > + continue; > + printf("%c%d", sep, (i*32 + j)); > + sep = ','; > + } > +} > + > +static void > +print_flow6id( ipfw_insn_u32 *cmd) > +{ > + uint16_t i, limit = cmd->o.arg1; > + char sep = ','; > + > + printf(" flow-id "); > + for( i=0; i < limit; ++i) { > + if (i == limit - 1) > + sep = ' '; > + printf("%d%c", cmd->d[i], sep); > + } > +} > + > +/* structure and define for the extension header in ipv6 */ > +static struct _s_x ext6hdrcodes[] = { > + { "frag", EXT_FRAGMENT }, > + { "hopopt", EXT_HOPOPTS }, > + { "route", EXT_ROUTING }, > + { "ah", EXT_AH }, > + { "esp", EXT_ESP }, > + { NULL, 0 } > +}; > + > +/* fills command for the extension header filtering */ > +int > +fill_ext6hdr( ipfw_insn *cmd, char *av) > +{ > + int tok; > + char *s = av; > + > + cmd->arg1 = 0; > + > + while(s) { > + av = strsep( &s, ",") ; > + tok = match_token(ext6hdrcodes, av); > + switch (tok) { > + case EXT_FRAGMENT: > + cmd->arg1 |= EXT_FRAGMENT; > + break; > + > + case EXT_HOPOPTS: > + cmd->arg1 |= EXT_HOPOPTS; > + break; > + > + case EXT_ROUTING: > + cmd->arg1 |= EXT_ROUTING; > + break; > + > + case EXT_AH: > + cmd->arg1 |= EXT_AH; > + break; > + > + case EXT_ESP: > + cmd->arg1 |= EXT_ESP; > + break; > + > + default: > + errx( EX_DATAERR, "invalid option for ipv6 exten headear" ); > + break; > + } > + } > + if (cmd->arg1 == 0 ) > + return 0; > + cmd->opcode = O_EXT_HDR; > + cmd->len |= F_INSN_SIZE( ipfw_insn ); > + return 1; > +} > + > +void > +print_ext6hdr( ipfw_insn *cmd ) > +{ > + char sep = ' '; > + > + printf(" extension header:"); > + if (cmd->arg1 & EXT_FRAGMENT ) { > + printf("%cfragmentation", sep); > + sep = ','; > + } > + if (cmd->arg1 & EXT_HOPOPTS ) { > + printf("%chop options", sep); > + sep = ','; > + } > + if (cmd->arg1 & EXT_ROUTING ) { > + printf("%crouting options", sep); > + sep = ','; > + } > + if (cmd->arg1 & EXT_AH ) { > + printf("%cauthentication header", sep); > + sep = ','; > + } > + if (cmd->arg1 & EXT_ESP ) { > + printf("%cencapsulated security payload", sep); > + } > +} > + > +/* XXX end of ipv6 stuff */ > + > /* > * show_ipfw() prints the body of an ipfw rule. > * Because the standard rule has at least proto src_ip dst_ip, we use > @@ -866,6 +1083,7 @@ > #define HAVE_DSTIP 0x0004 > #define HAVE_MAC 0x0008 > #define HAVE_MACTYPE 0x0010 > +#define HAVE_PROTO6 0x0080 > #define HAVE_OPTIONS 0x8000 > > #define HAVE_IP (HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP) > @@ -888,6 +1106,9 @@ > return; > } > if ( !(*flags & HAVE_OPTIONS)) { > + /* XXX: This is what the patch has, but shouldn't that be PROTO6? */ > + if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO6)) > + printf(" ipv6"); > if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO)) > printf(" ip"); > if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP)) > @@ -1130,6 +1351,37 @@ > flags |= HAVE_DSTIP; > break; > > + case O_IP6_SRC: > + case O_IP6_SRC_MASK: > + case O_IP6_SRC_ME: > + show_prerequisites(&flags, HAVE_PROTO6, 0); > + if (!(flags & HAVE_SRCIP)) > + printf(" from"); > + if ((cmd->len & F_OR) && !or_block) > + printf(" {"); > + print_ip6((ipfw_insn_ip6 *)cmd, > + (flags & HAVE_OPTIONS) ? " src-ip6" : ""); > + flags |= HAVE_SRCIP | HAVE_PROTO; > + break; > + > + case O_IP6_DST: > + case O_IP6_DST_MASK: > + case O_IP6_DST_ME: > + show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0); > + if (!(flags & HAVE_DSTIP)) > + printf(" to"); > + if ((cmd->len & F_OR) && !or_block) > + printf(" {"); > + print_ip6((ipfw_insn_ip6 *)cmd, > + (flags & HAVE_OPTIONS) ? " dst-ip6" : ""); > + flags |= HAVE_DSTIP; > + break; > + > + case O_FLOW6ID: > + print_flow6id( (ipfw_insn_u32 *) cmd ); > + flags |= HAVE_OPTIONS; > + break; > + > case O_IP_DSTPORT: > show_prerequisites(&flags, HAVE_IP, 0); > case O_IP_SRCPORT: > @@ -1141,14 +1393,15 @@ > break; > > case O_PROTO: { > - struct protoent *pe; > + struct protoent *pe = NULL; > > if ((cmd->len & F_OR) && !or_block) > printf(" {"); > if (cmd->len & F_NOT) > printf(" not"); > proto = cmd->arg1; > - pe = getprotobynumber(cmd->arg1); > + if (proto != 41) /* XXX: ipv6 is special */ > + pe = getprotobynumber(cmd->arg1); > if (flags & HAVE_OPTIONS) > printf(" proto"); > if (pe) > @@ -1332,6 +1585,18 @@ > } > break; > > + case O_IP6: > + printf(" ipv6"); > + break; > + > + case O_ICMP6TYPE: > + print_icmp6types((ipfw_insn_u32 *)cmd); > + break; > + > + case O_EXT_HDR: > + print_ext6hdr( (ipfw_insn *) cmd ); > + break; > + > default: > printf(" [opcode %d len %d]", > cmd->opcode, cmd->len); > @@ -1428,42 +1693,104 @@ > static void > list_queues(struct dn_flow_set *fs, struct dn_flow_queue *q) > { > - int l; > + int l, index_print = 0; > + char buff[255]; > > - printf(" mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n", > - fs->flow_mask.proto, > - fs->flow_mask.src_ip, fs->flow_mask.src_port, > - fs->flow_mask.dst_ip, fs->flow_mask.dst_port); > if (fs->rq_elements == 0) > return; > > - printf("BKT Prot ___Source IP/port____ " > - "____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp\n"); > if (do_sort != 0) > heapsort(q, fs->rq_elements, sizeof *q, sort_q); > + > + /* > + * Do IPv4 stuff > + */ > for (l = 0; l < fs->rq_elements; l++) { > - struct in_addr ina; > - struct protoent *pe; > + if (!IS_IP6_FLOW_ID(&(q[l].id))) { > + struct in_addr ina; > + struct protoent *pe; > > - ina.s_addr = htonl(q[l].id.src_ip); > - printf("%3d ", q[l].hash_slot); > - pe = getprotobynumber(q[l].id.proto); > - if (pe) > - printf("%-4s ", pe->p_name); > - else > - printf("%4u ", q[l].id.proto); > - printf("%15s/%-5d ", > - inet_ntoa(ina), q[l].id.src_port); > - ina.s_addr = htonl(q[l].id.dst_ip); > - printf("%15s/%-5d ", > - inet_ntoa(ina), q[l].id.dst_port); > - printf("%4qu %8qu %2u %4u %3u\n", > - q[l].tot_pkts, q[l].tot_bytes, > - q[l].len, q[l].len_bytes, q[l].drops); > - if (verbose) > - printf(" S %20qd F %20qd\n", > - q[l].S, q[l].F); > + if (!index_print) { > + index_print = 1; > + printf("\n mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n", > + fs->flow_mask.proto, > + fs->flow_mask.src_ip, > + fs->flow_mask.src_port, > + fs->flow_mask.dst_ip, > + fs->flow_mask.dst_port); > + printf(" BKT Prot ___Source IP/port____ " > + "____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp\n"); > + } > + printf(" %3d ", q[l].hash_slot); > + > + pe = getprotobynumber(q[l].id.proto); > + if (pe) > + printf("%-4s ", pe->p_name); > + else > + printf("%4u ", q[l].id.proto); > + ina.s_addr = htonl(q[l].id.src_ip); > + printf("%15s/%-5d ", > + inet_ntoa(ina), q[l].id.src_port); > + ina.s_addr = htonl(q[l].id.dst_ip); > + printf("%15s/%-5d ", > + inet_ntoa(ina), q[l].id.dst_port); > + printf("%4qu %8qu %2u %4u %3u\n", > + q[l].tot_pkts, q[l].tot_bytes, > + q[l].len, q[l].len_bytes, q[l].drops); > + if (verbose) > + printf(" S %20qd F %20qd\n", > + q[l].S, q[l].F); > + } > + } > + > + /* > + * Do IPv6 stuff > + */ > + > + index_print = 0; > + for (l = 0; l < fs->rq_elements; l++) { > + if (IS_IP6_FLOW_ID(&(q[l].id))) { > + struct protoent *pe; > + > + if (!index_print) { > + index_print = 1; > + printf("\n mask: proto: 0x%02x, flow_id: 0x%08x, ", > + fs->flow_mask.proto, fs->flow_mask.flow_id6 ); > + inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6), > + buff, sizeof(buff) ); > + printf("%s/0x%04x -> ", buff, fs->flow_mask.src_port); > + inet_ntop( AF_INET6, &(fs->flow_mask.dst_ip6), > + buff, sizeof(buff) ); > + printf("%s/0x%04x\n", buff, fs->flow_mask.dst_port); > + > + printf(" BKT ___Prot___ _flow-id_ " > + "______________Source IPv6/port_______________ " > + "_______________Dest. IPv6/port_______________ " > + "Tot_pkt/bytes Pkt/Byte Drp\n"); > + } > + printf(" %3d ", q[l].hash_slot); > + pe = getprotobynumber(q[l].id.proto); > + if (pe) > + printf("%9s ", pe->p_name); > + else > + printf("%9u ", q[l].id.proto); > + printf("%7d %39s/%-5d ", q[l].id.flow_id6, > + inet_ntop(AF_INET6, &(q[l].id.src_ip6), > + buff, sizeof(buff)), > + q[l].id.src_port); > + printf(" %39s/%-5d ", > + inet_ntop(AF_INET6, &(q[l].id.dst_ip6), > + buff, sizeof(buff)), > + q[l].id.dst_port); > + printf(" %4qu %8qu %2u %4u %3u\n", > + q[l].tot_pkts, q[l].tot_bytes, > + q[l].len, q[l].len_bytes, q[l].drops); > + if (verbose) > + printf(" S %20qd F %20qd\n", > + q[l].S, q[l].F); > + } > } > + printf("\n"); > } > > static void > @@ -1852,7 +2179,7 @@ > if (do_dynamic && ndyn) { > printf("## Dynamic rules:\n"); > for (lac = ac, lav = av; lac != 0; lac--) { > - rnum = strtoul(*lav++, &endptr, 10); > + last = rnum = strtoul(*lav++, &endptr, 10); > if (*endptr == '-') > last = strtoul(endptr+1, &endptr, 10); > if (*endptr) > @@ -1905,17 +2232,22 @@ > "ACTION: check-state | allow | count | deny | reject | skipto N |\n" > " {divert|tee} PORT | forward ADDR | pipe N | queue N\n" > "ADDR: [ MAC dst src ether_type ] \n" > -" [ from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n" > +" [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n" > +" [ ipv6 from IP6ADDR [ PORT ] to IP6ADDR [ PORTLIST ] ]\n" > "IPADDR: [not] { any | me | ip/bits{x,y,z} | table(t[,v]) | IPLIST }\n" > "IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]\n" > +"IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST }\n" > +"IP6LIST: { ip6 | ip6/bits }[,IP6LIST]\n" > "OPTION_LIST: OPTION [OPTION_LIST]\n" > -"OPTION: bridged | {dst-ip|src-ip} ADDR | {dst-port|src-port} LIST |\n" > +"OPTION: bridged | {dst-ip|src-ip} IPADDR | {dst-port|src-port} LIST |\n" > " estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n" > " iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n" > " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" > " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" > " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" > -" verrevpath | versrcreach | antispoof\n" > +" verrevpath | icmp6types LIST | ext6hdr LIST |\n" > +" {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n" > +" flow-id N[,N]\n" > ); > exit(0); > } > @@ -2124,6 +2456,227 @@ > cmd->o.len |= len+1; > } > > +/* XXX more ipv6 stuff */ > +/* Try to find ipv6 address by hostname */ > +static int > +lookup_host6 (char *host, struct in6_addr *ip6addr) > +{ > + struct hostent *he; > + > + if (!inet_pton(AF_INET6, host, ip6addr)) { > + if ((he = gethostbyname2(host, AF_INET6)) == NULL) > + return(-1); > + memcpy( ip6addr, he->h_addr_list[0], sizeof( struct in6_addr)); > + } > + return(0); > +} > + > +/* n2mask sets n bits of the mask */ > + > +static void > +n2mask(struct in6_addr *mask, int n) > +{ > + static int minimask[9] = { > + 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff > + }; > + u_char *p; > + int i; > + > + memset(mask, 0, sizeof(struct in6_addr)); > + p = (u_char *) mask; > + for (i = 0; i < 16; i++, p++, n -= 8) { > + if (n >= 8) { > + *p = 0xff; > + continue; > + } > + *p = minimask[n]; > + break; > + } > + return; > +} > + > +/* > + * fills the addr and mask fields in the instruction as appropriate from av. > + * Update length as appropriate. > + * The following formats are allowed: > + * any matches any IP6. Actually returns an empty instruction. > + * me returns O_IP6_*_ME > + * > + * 03f1::234:123:0342 single IP6 addres > + * 03f1::234:123:0342/24 address/mask > + * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address > + * > + * Set of address (as in ipv6) not supported because ipv6 address > + * are typically random past the initial prefix. > + * Return 1 on success, 0 on failure. > + */ > + > +static int > +fill_ip6(ipfw_insn_ip6 *cmd, char *av) > +{ > + int len = 0; > + struct in6_addr *d = &(cmd->addr6); > + /* Needed for multiple address. > + * Note d[1] points to struct in6_add r mask6 of cmd > + */ > + > + cmd->o.len &= ~F_LEN_MASK; /* zero len */ > + > + if (!strncmp(av, "any", strlen(av))) > + return 1; > + > + > + if (!strncmp(av, "me", strlen(av))) { /* Set the data for "me" opt*/ > + cmd->o.len |= F_INSN_SIZE(ipfw_insn); > + return 1; > + } > + if (!strncmp(av, "me6", strlen(av))) { /* Set the data for "me" opt*/ > + cmd->o.len |= F_INSN_SIZE(ipfw_insn); > + return 1; > + } > + > + av = strdup(av); > + while (av) { > + /* > + * After the address we can have '/' indicating a mask, > + * or ',' indicating another address follows. > + */ > + > + char *p; > + int masklen; > + char md = '\0'; > + > + if ((p = strpbrk( av, "/,")) ) { > + md = *p; /* save the separator */ > + *p = '\0'; /* terminate address string */ > + p++; /* and skip past it */ > + } > + /* now p points to NULL, mask or next entry */ > + > + /* lookup stores address in *d as a side effect */ > + if (lookup_host6(av, d) != 0) { > + /* failed. Free memory and go */ > + errx(EX_DATAERR, "bad address \"%s\"", av); > + } > + /* next, look at the mask, if any */ > + masklen = (md == '/') ? atoi(p) : 128; > + if (masklen > 128 || masklen < 0) > + errx(EX_DATAERR, "bad width \"%s\''", p); > + else > + n2mask( &d[1], masklen); > + > + APPLY_MASK( d, &d[1]) /* mask base address with mask */ > + > + /* find next separator */ > + > + if (md == '/') { /* find separator past the mask */ > + p = strpbrk(p, ","); > + if (p) > + p++; > + } > + av = p; > + > + /* Check this entry */ > + if (masklen == 0) { > + /* > + * 'any' turns the entire list into a NOP. > + * 'not any' never matches, so it is removed from the > + * list unless it is the only item, in which case we > + * report an error. > + */ > + if (cmd->o.len & F_NOT) { /* "not any" never matches */ > + if (av == NULL && len == 0) /* only this entry */ > + errx(EX_DATAERR, "not any never matches"); > + } > + /* else do nothing and skip this entry */ > + continue; > + } > + > + /* > + * A single IP can be stored alone > + */ > + if (masklen == 128 && av == NULL && len == 0) { > + len = F_INSN_SIZE(struct in6_addr); > + break; > + } > + > + /* Update length and pointer to arguments */ > + len += F_INSN_SIZE(struct in6_addr)*2; > + d += 2; > + } /* end while */ > + > + /* Total lenght of the command, remember that 1 is the size of the base command */ > + cmd->o.len |= len+1; > + free(av); > + return 1; > +} > + > +/* > + * fills command for ipv6 flow-id filtering > + * note that the 20 bit flow number is stored in a array of u_int32_t > + * it's supported lists of flow-id, so in the o.arg1 we store how many > + * additional flow-id we want to filter, the basic is 1 > + */ > +void > +fill_flow6( ipfw_insn_u32 *cmd, char *av ) > +{ > + u_int32_t type; /* Current flow number */ > + u_int16_t nflow = 0; /* Current flow index */ > + char *s = av; > + cmd->d[0] = 0; /* Initializing the base number*/ > + > + while (s) { > + av = strsep( &s, ",") ; > + type = strtoul(av, &av, 0); > + if (*av != ',' && *av != '\0') > + errx(EX_DATAERR, "invalid ipv6 flow number %s", av); > + if (type > 0xfffff) > + errx(EX_DATAERR, "flow number out of range %s", av); > + cmd->d[nflow] |= type; > + nflow++; > + } > + if( nflow > 0 ) { > + cmd->o.opcode = O_FLOW6ID; > + cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow; > + cmd->o.arg1 = nflow; > + } > + else { > + errx(EX_DATAERR, "invalid ipv6 flow number %s", av); > + } > +} > + > +static ipfw_insn * > +add_srcip6(ipfw_insn *cmd, char *av) > +{ > + fill_ip6( (ipfw_insn_ip6 *) cmd, av); > + if (F_LEN(cmd) == 0) /* any */ > + ; > + if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* "me" */ > + cmd->opcode = O_IP6_SRC_ME; > + else if (F_LEN(cmd) == (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) > + /* single IP, no mask*/ > + cmd->opcode = O_IP6_SRC; > + else /* addr/mask opt */ > + cmd->opcode = O_IP6_SRC_MASK; > + return cmd; > +} > + > +static ipfw_insn * > +add_dstip6(ipfw_insn *cmd, char *av) > +{ > + fill_ip6((ipfw_insn_ip6 *)cmd, av); > + if (F_LEN(cmd) == 0) /* any */ > + ; > + if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* "me" */ > + cmd->opcode = O_IP6_DST_ME; > + else if (F_LEN(cmd) == (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) > + /* single IP, no mask*/ > + cmd->opcode = O_IP6_DST; > + else /* addr/mask opt */ > + cmd->opcode = O_IP6_DST_MASK; > + return cmd; > +} > +/* end ipv6 stuff */ > > /* > * helper function to process a set of flags and set bits in the > @@ -2236,7 +2789,6 @@ > struct dn_pipe p; > int i; > char *end; > - uint32_t a; > void *par = NULL; > > memset(&p, 0, sizeof p); > @@ -2298,16 +2850,15 @@ > */ > par = NULL; > > - p.fs.flow_mask.dst_ip = 0; > - p.fs.flow_mask.src_ip = 0; > - p.fs.flow_mask.dst_port = 0; > - p.fs.flow_mask.src_port = 0; > - p.fs.flow_mask.proto = 0; > + bzero(&p.fs.flow_mask, sizeof(p.fs.flow_mask)); > end = NULL; > > while (ac >= 1) { > uint32_t *p32 = NULL; > uint16_t *p16 = NULL; > + uint32_t *p20 = NULL; > + struct in6_addr *pa6 = NULL; > + uint32_t a; /* the mask */ > > tok = match_token(dummynet_params, *av); > ac--; av++; > @@ -2321,6 +2872,9 @@ > p.fs.flow_mask.dst_port = ~0; > p.fs.flow_mask.src_port = ~0; > p.fs.flow_mask.proto = ~0; > + n2mask( &(p.fs.flow_mask.dst_ip6), 128); > + n2mask( &(p.fs.flow_mask.src_ip6), 128); > + p.fs.flow_mask.flow_id6 = ~0; > p.fs.flags_fs |= DN_HAVE_FLOW_MASK; > goto end_mask; > > @@ -2332,6 +2886,18 @@ > p32 = &p.fs.flow_mask.src_ip; > break; > > + case TOK_DSTIP6: > + pa6 = &(p.fs.flow_mask.dst_ip6); > + break; > + > + case TOK_SRCIP6: > + pa6 = &(p.fs.flow_mask.src_ip6); > + break; > + > + case TOK_FLOWID: > + p20 = &p.fs.flow_mask.flow_id6; > + break; > + > case TOK_DSTPORT: > p16 = &p.fs.flow_mask.dst_port; > break; > @@ -2349,22 +2915,35 @@ > } > if (ac < 1) > errx(EX_USAGE, "mask: value missing"); > - if (*av[0] == '/') { > + if (*av[0] == '/') { /* mask len */ > a = strtoul(av[0]+1, &end, 0); > - a = (a == 32) ? ~0 : (1 << a) - 1; > - } else > + /* convert to a mask for non IPv6 */ > + if (pa6 == NULL) > + a = (a == 32) ? ~0 : (1 << a) - 1; > + } else /* explicit mask (non IPv6) */ > a = strtoul(av[0], &end, 0); > if (p32 != NULL) > *p32 = a; > else if (p16 != NULL) { > - if (a > 65535) > + if (a > 0xffff) > errx(EX_DATAERR, > - "mask: must be 16 bit"); > + "port mask must be 16 bit"); > *p16 = (uint16_t)a; > + } else if (p20 != NULL) { > + if (a > 0xfffff) > + errx(EX_DATAERR, > + "flow_id mask must be 20 bit"); > + *p20 = (uint32_t)a; > + } else if (pa6 != NULL) { > + if (a < 0 || a > 128) > + errx(EX_DATAERR, > + "in6addr invalid mask len"); > + else > + n2mask(pa6, a); > } else { > - if (a > 255) > + if (a > 0xff) > errx(EX_DATAERR, > - "mask: must be 8 bit"); > + "porto mask must be 8 bit"); > p.fs.flow_mask.proto = (uint8_t)a; > } > if (a != 0) > @@ -2468,7 +3047,7 @@ > break; > > default: > - errx(EX_DATAERR, "unrecognised option ``%s''", av[-1]); > + errx(EX_DATAERR, "unrecognised option ``%s''", *av); > } > } > if (do_pipe == 1) { > @@ -2684,21 +3263,25 @@ > } > > static ipfw_insn * > -add_proto(ipfw_insn *cmd, char *av) > +add_proto(ipfw_insn *cmd, char *av, u_char *proto) > { > struct protoent *pe; > - u_char proto = 0; > + > + *proto = IPPROTO_IP; > > if (!strncmp(av, "all", strlen(av))) > ; /* same as "ip" */ > - else if ((proto = atoi(av)) > 0) > + else if ((*proto = atoi(av)) > 0) > ; /* all done! */ > else if ((pe = getprotobyname(av)) != NULL) > - proto = pe->p_proto; > + *proto = pe->p_proto; > + else if(!strncmp(av, "ipv6", strlen(av)) || > + !strncmp(av, "ip6", strlen(av)) ) > + *proto = IPPROTO_IPV6; > else > return NULL; > - if (proto != IPPROTO_IP) > - fill_cmd(cmd, O_PROTO, 0, proto); > + if (proto != IPPROTO_IP && *proto != IPPROTO_IPV6) > + fill_cmd(cmd, O_PROTO, 0, *proto); > return cmd; > } > > @@ -2749,6 +3332,38 @@ > return NULL; > } > > +static ipfw_insn * > +add_src(ipfw_insn *cmd, char *av, u_char proto) > +{ > + struct in6_addr a; > + if( proto == IPPROTO_IPV6 || strcmp( av, "me6") == 0 || inet_pton(AF_INET6, av, &a )) > + return add_srcip6(cmd, av); > + > + if (proto == IPPROTO_IP || strcmp( av, "me") == 0 || !inet_pton(AF_INET6, av, &a ) ) > + return add_srcip(cmd, av); > + > + if( !strcmp( av, "any") ) > + return cmd; > + > + return NULL; /* bad address */ > +} > + > +static ipfw_insn * > +add_dst(ipfw_insn *cmd, char *av, u_char proto) > +{ > + struct in6_addr a; > + if( proto == IPPROTO_IPV6 || strcmp( av, "me6") == 0 || inet_pton(AF_INET6, av, &a )) > + return add_dstip6(cmd, av); > + > + if (proto == IPPROTO_IP || strcmp( av, "me") == 0 || !inet_pton(AF_INET6, av, &a ) ) > + return add_dstip(cmd, av); > + > + if( !strcmp( av, "any") ) > + return cmd; > + > + return NULL; /* bad address */ > +} > + > /* > * Parse arguments and assemble the microinstructions which make up a rule. > * Rules are added into the 'rulebuf' and then copied in the correct order > @@ -2772,7 +3387,7 @@ > */ > static uint32_t rulebuf[255], actbuf[255], cmdbuf[255]; > > - ipfw_insn *src, *dst, *cmd, *action, *prev=NULL; > + ipfw_insn *src, *dst, *cmd, *action, *prev=NULL, *retval=NULL; > ipfw_insn *first_cmd; /* first match pattern */ > > struct ip_fw *rule; > @@ -3051,11 +3666,9 @@ > OR_START(get_proto); > NOT_BLOCK; > NEED1("missing protocol"); > - if (add_proto(cmd, *av)) { > + if (add_proto(cmd, *av, &proto)) { > av++; ac--; > - if (F_LEN(cmd) == 0) /* plain IP */ > - proto = 0; > - else { > + if (F_LEN(cmd) != 0) { /* plain IP */ > proto = cmd->arg1; > prev = cmd; > cmd = next_cmd(cmd); > @@ -3079,13 +3692,16 @@ > OR_START(source_ip); > NOT_BLOCK; /* optional "not" */ > NEED1("missing source address"); > - if (add_srcip(cmd, *av)) { > + retval = add_src(cmd, *av, proto); > + > + if (retval) { > ac--; av++; > if (F_LEN(cmd) != 0) { /* ! any */ > prev = cmd; > cmd = next_cmd(cmd); > } > - } > + } else > + errx(EX_USAGE, "bad source address %s", *av); > OR_BLOCK(source_ip); > > /* > @@ -3114,13 +3730,16 @@ > OR_START(dest_ip); > NOT_BLOCK; /* optional "not" */ > NEED1("missing dst address"); > - if (add_dstip(cmd, *av)) { > + retval = add_dst(cmd, *av, proto); > + > + if (retval) { > ac--; av++; > if (F_LEN(cmd) != 0) { /* ! any */ > prev = cmd; > cmd = next_cmd(cmd); > } > - } > + } else > + errx( EX_USAGE, "bad destination address %s", *av); > OR_BLOCK(dest_ip); > > /* > @@ -3226,6 +3845,12 @@ > av++; ac--; > break; > > + case TOK_ICMP6TYPES: > + NEED1("icmptypes requires list of types"); > + fill_icmp6types((ipfw_insn_icmp6 *)cmd, *av); > + av++; ac--; > + break; > + > case TOK_IPTTL: > NEED1("ipttl requires TTL"); > if (strpbrk(*av, "-,")) { > @@ -3418,8 +4043,9 @@ > > case TOK_PROTO: > NEED1("missing protocol"); > - if (add_proto(cmd, *av)) { > - proto = cmd->arg1; > + if (add_proto(cmd, *av, &proto)) { > + if ( proto == IPPROTO_IPV6 ) > + fill_cmd(cmd, O_IP6, 0, 0); > ac--; av++; > } else > errx(EX_DATAERR, "invalid protocol ``%s''", > @@ -3440,6 +4066,20 @@ > } > break; > > + case TOK_SRCIP6: > + NEED1("missing source IP6"); > + if (add_srcip6(cmd, *av)) { > + ac--; av++; > + } > + break; > + > + case TOK_DSTIP6: > + NEED1("missing destination IP6"); > + if (add_dstip6(cmd, *av)) { > + ac--; av++; > + } > + break; > + > case TOK_SRCPORT: > NEED1("missing source port"); > if (!strncmp(*av, "any", strlen(*av)) || > @@ -3493,6 +4133,24 @@ > av += ac; > ac = 0; > break; > + > + case TOK_IPV6: > + fill_cmd(cmd, O_IP6, 0, 0); > + ac--; av++; > + break; > + > + case TOK_EXT6HDR: > + fill_ext6hdr( cmd, *av ); > + ac--; av++; > + break; > + > + case TOK_FLOWID: > + if (proto != IPPROTO_IPV6 ) > + errx( EX_USAGE, "flow-id filter is active only for ipv6 protocol\n"); > + fill_flow6( (ipfw_insn_u32 *) cmd, *av ); > + ac--;av++; > + break; > + > > default: > errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s); > --- ../cleanup/sys/netinet/ip_dummynet.c Thu Aug 26 21:19:18 2004 > +++ sys/netinet/ip_dummynet.c Fri Sep 3 13:37:35 2004 > @@ -77,6 +77,9 @@ > #include /* for struct arpcom */ > #include > > +#include /* for ip6_input, ip6_output prototypes */ > +#include > + > /* > * We keep a private variable for the simulation time, but we could > * probably use an existing one ("softticks" in sys/kern/kern_timeout.c) > @@ -461,6 +464,14 @@ > ip_input(m) ; > break ; > > + case DN_TO_IP6_IN: > + ip6_input(m) ; > + break ; > + > + case DN_TO_IP6_OUT: > + (void)ip6_output(m, NULL, NULL, pkt->flags, NULL, NULL, NULL); > + break ; > + > case DN_TO_BDG_FWD : > /* > * The bridge requires/assumes the Ethernet header is > @@ -898,36 +909,79 @@ > { > int i = 0 ; /* we need i and q for new allocations */ > struct dn_flow_queue *q, *prev; > + int is_v6 = IS_IP6_FLOW_ID(id); > > if ( !(fs->flags_fs & DN_HAVE_FLOW_MASK) ) > q = fs->rq[0] ; > else { > - /* first, do the masking */ > - id->dst_ip &= fs->flow_mask.dst_ip ; > - id->src_ip &= fs->flow_mask.src_ip ; > + /* first, do the masking, then hash */ > id->dst_port &= fs->flow_mask.dst_port ; > id->src_port &= fs->flow_mask.src_port ; > id->proto &= fs->flow_mask.proto ; > id->flags = 0 ; /* we don't care about this one */ > - /* then, hash function */ > - i = ( (id->dst_ip) & 0xffff ) ^ > - ( (id->dst_ip >> 15) & 0xffff ) ^ > - ( (id->src_ip << 1) & 0xffff ) ^ > - ( (id->src_ip >> 16 ) & 0xffff ) ^ > - (id->dst_port << 1) ^ (id->src_port) ^ > - (id->proto ); > + if (is_v6) { > + APPLY_MASK(&id->dst_ip6, &fs->flow_mask.dst_ip6); > + APPLY_MASK(&id->src_ip6, &fs->flow_mask.src_ip6); > + id->flow_id6 &= fs->flow_mask.flow_id6; > + > + i = ((id->dst_ip6.__u6_addr.__u6_addr32[0]) & 0xffff)^ > + ((id->dst_ip6.__u6_addr.__u6_addr32[1]) & 0xffff)^ > + ((id->dst_ip6.__u6_addr.__u6_addr32[2]) & 0xffff)^ > + ((id->dst_ip6.__u6_addr.__u6_addr32[3]) & 0xffff)^ > + > + ((id->dst_ip6.__u6_addr.__u6_addr32[0] >> 15) & 0xffff)^ > + ((id->dst_ip6.__u6_addr.__u6_addr32[1] >> 15) & 0xffff)^ > + ((id->dst_ip6.__u6_addr.__u6_addr32[2] >> 15) & 0xffff)^ > + ((id->dst_ip6.__u6_addr.__u6_addr32[3] >> 15) & 0xffff)^ > + > + ((id->src_ip6.__u6_addr.__u6_addr32[0] << 1) & 0xfffff)^ > + ((id->src_ip6.__u6_addr.__u6_addr32[1] << 1) & 0xfffff)^ > + ((id->src_ip6.__u6_addr.__u6_addr32[2] << 1) & 0xfffff)^ > + ((id->src_ip6.__u6_addr.__u6_addr32[3] << 1) & 0xfffff)^ > + > + ((id->src_ip6.__u6_addr.__u6_addr32[0] << 16) & 0xffff)^ > + ((id->src_ip6.__u6_addr.__u6_addr32[1] << 16) & 0xffff)^ > + ((id->src_ip6.__u6_addr.__u6_addr32[2] << 16) & 0xffff)^ > + ((id->src_ip6.__u6_addr.__u6_addr32[3] << 16) & 0xffff)^ > + > + (id->dst_port << 1) ^ (id->src_port) ^ > + (id->proto ) ^ > + (id->flow_id6); > + } else { > + id->dst_ip &= fs->flow_mask.dst_ip ; > + id->src_ip &= fs->flow_mask.src_ip ; > + > + i = ( (id->dst_ip) & 0xffff ) ^ > + ( (id->dst_ip >> 15) & 0xffff ) ^ > + ( (id->src_ip << 1) & 0xffff ) ^ > + ( (id->src_ip >> 16 ) & 0xffff ) ^ > + (id->dst_port << 1) ^ (id->src_port) ^ > + (id->proto ); > + } > i = i % fs->rq_size ; > /* finally, scan the current list for a match */ > searches++ ; > for (prev=NULL, q = fs->rq[i] ; q ; ) { > search_steps++; > - if (id->dst_ip == q->id.dst_ip && > + if (is_v6 && > + IN6_ARE_ADDR_EQUAL(&id->dst_ip6,&q->id.dst_ip6) && > + IN6_ARE_ADDR_EQUAL(&id->src_ip6,&q->id.src_ip6) && > + id->dst_port == q->id.dst_port && > + id->src_port == q->id.src_port && > + id->proto == q->id.proto && > + id->flags == q->id.flags && > + id->flow_id6 == q->id.flow_id6) > + break ; /* found */ > + > + if (!is_v6 && id->dst_ip == q->id.dst_ip && > id->src_ip == q->id.src_ip && > id->dst_port == q->id.dst_port && > id->src_port == q->id.src_port && > id->proto == q->id.proto && > id->flags == q->id.flags) > break ; /* found */ > + > + /* No match. Check if we can expire the entry */ > else if (pipe_expire && q->head == NULL && q->S == q->F+1 ) { > /* entry is idle and not in any heap, expire it */ > struct dn_flow_queue *old_q = q ; > @@ -1065,7 +1119,7 @@ > { > #if IPFW2 > struct dn_flow_set *fs; > - ipfw_insn *cmd = rule->cmd + rule->act_ofs; > + ipfw_insn *cmd = ACTION_PTR(rule); > > if (cmd->opcode == O_LOG) > cmd += F_LEN(cmd); > @@ -1132,7 +1186,7 @@ > struct dn_flow_queue *q = NULL ; > int is_pipe; > #if IPFW2 > - ipfw_insn *cmd = fwa->rule->cmd + fwa->rule->act_ofs; > + ipfw_insn *cmd = ACTION_PTR(fwa->rule); > #endif > > KASSERT(m->m_nextpkt == NULL, > @@ -1202,8 +1256,9 @@ > pkt->dn_dir = dir ; > > pkt->ifp = fwa->oif; > - if (dir == DN_TO_IP_OUT) > + if (dir == DN_TO_IP_OUT || dir == DN_TO_IP6_OUT) > pkt->flags = fwa->flags; > + > if (q->head == NULL) > q->head = m; > else > @@ -1372,7 +1427,7 @@ > * remove references from all ipfw rules to all pipes. > */ > static void > -dummynet_flush() > +dummynet_flush(void) > { > struct dn_pipe *curr_p, *p ; > struct dn_flow_set *fs, *curr_fs; > @@ -2017,7 +2072,7 @@ > ip_dn_init(void) > { > if (bootverbose) > - printf("DUMMYNET initialized (011031)\n"); > + printf("DUMMYNET with IPv6 initialized (040826)\n"); > > DUMMYNET_LOCK_INIT(); > > --- ../cleanup/sys/netinet/ip_dummynet.h Thu Aug 26 21:19:18 2004 > +++ sys/netinet/ip_dummynet.h Fri Aug 27 13:12:06 2004 > @@ -124,10 +124,13 @@ > #define DN_TO_BDG_FWD 3 > #define DN_TO_ETH_DEMUX 4 > #define DN_TO_ETH_OUT 5 > +#define DN_TO_IP6_IN 6 > +#define DN_TO_IP6_OUT 7 > > dn_key output_time; /* when the pkt is due for delivery */ > struct ifnet *ifp; /* interface, for ip_output */ > int flags ; /* flags, for ip_output (IPv6 ?) */ > + struct _ip6dn_args ip6opt; /* XXX ipv6 options */ > }; > #endif /* _KERNEL */ > > --- ../cleanup/sys/netinet/ip_fw.h Thu Aug 26 21:19:19 2004 > +++ sys/netinet/ip_fw.h Fri Aug 27 13:12:06 2004 > @@ -134,11 +134,31 @@ > O_IP_DST_LOOKUP, /* arg1=table number, u32=value */ > O_ANTISPOOF, /* none */ > O_JAIL, /* u32 = id */ > + O_IP6_SRC, /* address without mask */ > + O_IP6_SRC_ME, /* my addresses */ > + O_IP6_SRC_MASK, /* address with the mask */ > + O_IP6_DST, > + O_IP6_DST_ME, > + O_IP6_DST_MASK, > + O_FLOW6ID, /* for flow id tag in the ipv6 pkt */ > + O_ICMP6TYPE, /* icmp6 packet type filtering */ > + O_EXT_HDR, /* filtering for ipv6 extension header */ > + O_IP6, > > O_LAST_OPCODE /* not an opcode! */ > }; > > /* > + * The extension header are filtered only for presence using a bit > + * vector with a flag for each header. > + */ > +#define EXT_FRAGMENT 0x1 > +#define EXT_HOPOPTS 0x2 > +#define EXT_ROUTING 0x4 > +#define EXT_AH 0x8 > +#define EXT_ESP 0x10 > + > +/* > * Template for instructions. > * > * ipfw_insn is used for all instructions which require no operands, > @@ -274,6 +294,30 @@ > u_int32_t log_left; /* how many left to log */ > } ipfw_insn_log; > > +/* Apply ipv6 mask on ipv6 addr */ > +#define APPLY_MASK(addr,mask) \ > + (addr)->__u6_addr.__u6_addr32[0] &= (mask)->__u6_addr.__u6_addr32[0]; \ > + (addr)->__u6_addr.__u6_addr32[1] &= (mask)->__u6_addr.__u6_addr32[1]; \ > + (addr)->__u6_addr.__u6_addr32[2] &= (mask)->__u6_addr.__u6_addr32[2]; \ > + (addr)->__u6_addr.__u6_addr32[3] &= (mask)->__u6_addr.__u6_addr32[3]; > + > +/* Structure for ipv6 */ > +typedef struct _ipfw_insn_ip6 { > + ipfw_insn o; > + struct in6_addr addr6; > + struct in6_addr mask6; > +} ipfw_insn_ip6; > + > +/* Used to support icmp6 types */ > +typedef struct _ipfw_insn_icmp6 { > + ipfw_insn o; > + uint32_t d[7]; /* XXX This number si related to the netinet/icmp6.h > + * define ICMP6_MAXTYPE > + * as follows: n = ICMP6_MAXTYPE/32 + 1 > + * Actually is 203 > + */ > +} ipfw_insn_icmp6; > + > /* > * Here we have the structure representing an ipfw rule. > * > @@ -336,8 +380,14 @@ > u_int16_t src_port; > u_int8_t proto; > u_int8_t flags; /* protocol-specific flags */ > + uint8_t addr_type; /* 4 = ipv4, 6 = ipv6, 1=ether ? */ > + struct in6_addr dst_ip6; /* could also store MAC addr! */ > + struct in6_addr src_ip6; > + u_int32_t flow_id6; > }; > > +#define IS_IP6_FLOW_ID(id) ((id)->addr_type == 6) > + > /* > * Dynamic ipfw rule. > */ > @@ -410,6 +460,21 @@ > #define IP_FW_PORT_DENY_FLAG 0x40000 > > /* > + * Structure for collecting parameters to dummynet for ip6_output forwarding > + */ > +struct _ip6dn_args { > + struct ip6_pktopts *opt_or; > + struct route_in6 ro_or; > + int flags_or; > + struct ip6_moptions *im6o_or; > + struct ifnet *origifp_or; > + struct ifnet *ifp_or; > + struct sockaddr_in6 dst_or; > + u_long mtu_or; > + struct route_in6 ro_pmtu_or; > +}; > + > +/* > * Arguments for calling ipfw_chk() and dummynet_io(). We put them > * all into a structure because this way it is easier and more > * efficient to pass variables around and extend the interface. > @@ -425,6 +490,8 @@ > > struct ipfw_flow_id f_id; /* grabbed from IP header */ > u_int32_t retval; > + > + struct _ip6dn_args dummypar; /* dummynet->ip6_output */ > }; > > /* > --- ../cleanup/sys/netinet/ip_fw2.c Thu Aug 26 21:19:21 2004 > +++ sys/netinet/ip_fw2.c Thu Sep 2 20:22:12 2004 > @@ -82,6 +82,9 @@ > #include > #endif > > +#include > +#include > + > #include /* XXX for ETHERTYPE_IP */ > > #include /* XXX for in_cksum */ > @@ -277,14 +280,19 @@ > > > /* > - * This macro maps an ip pointer into a layer3 header pointer of type T > + * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T > + * Other macros just cast void * into the appropriate type > */ > -#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) > +#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) > +#define TCP(p) ((struct tcphdr *)(p)) > +#define UDP(p) ((struct udphdr *)(p)) > +#define ICMP(p) ((struct icmp *)(p)) > +#define ICMP6(p) ((struct icmp6_hdr *)(p)) > > static __inline int > -icmptype_match(struct ip *ip, ipfw_insn_u32 *cmd) > +icmptype_match(struct icmp *icmp, ipfw_insn_u32 *cmd) > { > - int type = L3HDR(struct icmp,ip)->icmp_type; > + int type = icmp->icmp_type; > > return (type <= ICMP_MAXTYPE && (cmd->d[0] & (1< } > @@ -293,9 +301,10 @@ > (1 << ICMP_TSTAMP) | (1 << ICMP_IREQ) | (1 << ICMP_MASKREQ) ) > > static int > -is_icmp_query(struct ip *ip) > +is_icmp_query(struct icmp *icmp) > { > - int type = L3HDR(struct icmp, ip)->icmp_type; > + int type = icmp->icmp_type; > + > return (type <= ICMP_MAXTYPE && (TT & (1< } > #undef TT > @@ -371,10 +380,9 @@ > } > > static int > -tcpopts_match(struct ip *ip, ipfw_insn *cmd) > +tcpopts_match(struct tcphdr *tcp, ipfw_insn *cmd) > { > int optlen, bits = 0; > - struct tcphdr *tcp = L3HDR(struct tcphdr,ip); > u_char *cp = (u_char *)(tcp + 1); > int x = (tcp->th_off << 2) - sizeof(struct tcphdr); > > @@ -515,6 +523,83 @@ > return 1; > } > > +/* > + * ipv6 specific rules here... > + */ > +static __inline int > +icmp6type_match (int type, ipfw_insn_u32 *cmd) > +{ > + return (type <= ICMP6_MAXTYPE && (cmd->d[type/32] & (1<<(type%32)) ) ); > +} > + > +static int > +flow6id_match( int curr_flow, ipfw_insn_u32 *cmd ) > +{ > + int i; > + for (i=0; i <= cmd->o.arg1; ++i ) > + if (curr_flow == cmd->d[i] ) > + return 1; > + return 0; > +} > + > +/* support for IP6_*_ME opcodes */ > +static int > +search_ip6_addr_net (struct in6_addr * ip6_addr) > +{ > + struct ifnet *mdc; > + struct ifaddr *mdc2; > + struct in6_ifaddr *fdm; > + struct in6_addr copia; > + > + TAILQ_FOREACH(mdc, &ifnet, if_link) > + for (mdc2 = mdc->if_addrlist.tqh_first; mdc2; > + mdc2 = mdc2->ifa_list.tqe_next) { > + if (!mdc2->ifa_addr) > + continue; > + if (mdc2->ifa_addr->sa_family == AF_INET6) { > + fdm = (struct in6_ifaddr *)mdc2; > + copia = fdm->ia_addr.sin6_addr; > + /* need for leaving scope_id in the sock_addr */ > + in6_clearscope(&copia); > + if (IN6_ARE_ADDR_EQUAL(ip6_addr, &copia)) > + return 1; > + } > + } > + return 0; > +} > + > +static int > +verify_rev_path6(struct in6_addr *src, struct ifnet *ifp) > +{ > + static struct route_in6 ro; > + struct sockaddr_in6 *dst; > + > + dst = (struct sockaddr_in6 * )&(ro.ro_dst); > + > + if ( !(IN6_ARE_ADDR_EQUAL (src, &dst->sin6_addr) )) { > + bzero(dst, sizeof(*dst)); > + dst->sin6_family = AF_INET6; > + dst->sin6_len = sizeof(*dst); > + dst->sin6_addr = *src; > + rtalloc_ign((struct route *)&ro, RTF_CLONING); > + } > + if ((ro.ro_rt == NULL) || (ifp == NULL) || > + (ro.ro_rt->rt_ifp->if_index != ifp->if_index)) > + return 0; > + return 1; > +} > +static __inline int > +hash_packet6(struct ipfw_flow_id *id) > +{ > + u_int32_t i; > + i= (id->dst_ip6.__u6_addr.__u6_addr32[0]) ^ > + (id->dst_ip6.__u6_addr.__u6_addr32[1]) ^ > + (id->dst_ip6.__u6_addr.__u6_addr32[2]) ^ > + (id->dst_ip6.__u6_addr.__u6_addr32[3]) ^ > + (id->dst_port) ^ (id->src_port) ^ (id->flow_id6); > + return i; > +} > +/* end of ipv6 opcodes */ > > static u_int64_t norule_counter; /* counter for ipfw_log(NULL...) */ > > @@ -718,7 +803,8 @@ > { > u_int32_t i; > > - i = (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port); > + i = IS_IP6_FLOW_ID(id) ? hash_packet6(id): > + (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port); > i &= (curr_dyn_buckets - 1); > return i; > } > @@ -857,19 +943,40 @@ > } > if (pkt->proto == q->id.proto && > q->dyn_type != O_LIMIT_PARENT) { > - if (pkt->src_ip == q->id.src_ip && > - pkt->dst_ip == q->id.dst_ip && > + if (IS_IP6_FLOW_ID(pkt)) { > + if (IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), > + &(q->id.src_ip6)) && > + IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), > + &(q->id.dst_ip6)) && > pkt->src_port == q->id.src_port && > pkt->dst_port == q->id.dst_port ) { > dir = MATCH_FORWARD; > break; > - } > - if (pkt->src_ip == q->id.dst_ip && > - pkt->dst_ip == q->id.src_ip && > - pkt->src_port == q->id.dst_port && > - pkt->dst_port == q->id.src_port ) { > - dir = MATCH_REVERSE; > - break; > + } > + if (IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), > + &(q->id.dst_ip6)) && > + IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), > + &(q->id.src_ip6)) && > + pkt->src_port == q->id.dst_port && > + pkt->dst_port == q->id.src_port ) { > + dir = MATCH_REVERSE; > + break; > + } > + } else { > + if (pkt->src_ip == q->id.src_ip && > + pkt->dst_ip == q->id.dst_ip && > + pkt->src_port == q->id.src_port && > + pkt->dst_port == q->id.dst_port ) { > + dir = MATCH_FORWARD; > + break; > + } > + if (pkt->src_ip == q->id.dst_ip && > + pkt->dst_ip == q->id.src_ip && > + pkt->src_port == q->id.dst_port && > + pkt->dst_port == q->id.src_port ) { > + dir = MATCH_REVERSE; > + break; > + } > } > } > next: > @@ -1067,15 +1174,25 @@ > IPFW_DYN_LOCK_ASSERT(); > > if (ipfw_dyn_v) { > + int is_v6 = IS_IP6_FLOW_ID(pkt); > i = hash_packet( pkt ); > for (q = ipfw_dyn_v[i] ; q != NULL ; q=q->next) > if (q->dyn_type == O_LIMIT_PARENT && > rule== q->rule && > pkt->proto == q->id.proto && > - pkt->src_ip == q->id.src_ip && > - pkt->dst_ip == q->id.dst_ip && > pkt->src_port == q->id.src_port && > - pkt->dst_port == q->id.dst_port) { > + pkt->dst_port == q->id.dst_port && > + ( > + (is_v6 && > + IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), > + &(q->id.src_ip6)) && > + IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), > + &(q->id.dst_ip6))) || > + (!is_v6 && > + pkt->src_ip == q->id.src_ip && > + pkt->dst_ip == q->id.dst_ip) > + ) > + ) { > q->expire = time_second + dyn_short_lifetime; > DEB(printf("ipfw: lookup_dyn_parent found 0x%p\n",q);) > return q; > @@ -1149,10 +1266,17 @@ > id.dst_port = id.src_port = 0; > id.proto = args->f_id.proto; > > - if (limit_mask & DYN_SRC_ADDR) > - id.src_ip = args->f_id.src_ip; > - if (limit_mask & DYN_DST_ADDR) > - id.dst_ip = args->f_id.dst_ip; > + if (IS_IP6_FLOW_ID (&(args->f_id))) { > + if (limit_mask & DYN_SRC_ADDR) > + id.src_ip6 = args->f_id.src_ip6; > + if (limit_mask & DYN_DST_ADDR) > + id.dst_ip6 = args->f_id.dst_ip6; > + } else { > + if (limit_mask & DYN_SRC_ADDR) > + id.src_ip = args->f_id.src_ip; > + if (limit_mask & DYN_DST_ADDR) > + id.dst_ip = args->f_id.dst_ip; > + } > if (limit_mask & DYN_SRC_PORT) > id.src_port = args->f_id.src_port; > if (limit_mask & DYN_DST_PORT) > @@ -1730,97 +1854,192 @@ > struct in_addr src_ip, dst_ip; /* NOTE: network format */ > u_int16_t ip_len=0; > int pktlen; > + /* > + * dyn_dir = MATCH_UNKNOWN when rules unchecked, > + * MATCH_NONE when checked and not matched (q = NULL), > + * MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL) > + */ > int dyn_dir = MATCH_UNKNOWN; > ipfw_dyn_rule *q = NULL; > struct ip_fw_chain *chain = &layer3_chain; > struct m_tag *mtag; > + /* > + * We store in ulp a pointer to the upper layer protocol header. > + * In the ipv4 case this is easy to determine from the header, > + * but for ipv6 we might have some additional headers in the > + * middle. ulp is NULL if not found. > + */ > + void *ulp = NULL; /* upper layer protocol pointer. */ > + /* XXX ipv6 variables */ > + int is_ipv6 = 0; > + u_int16_t ext_hd = 0; /* bits vector for extension header filtering */ > + /* end of ipv6 variables */ > > if (m->m_flags & M_SKIP_FIREWALL) > return 0; /* accept */ > - /* > - * dyn_dir = MATCH_UNKNOWN when rules unchecked, > - * MATCH_NONE when checked and not matched (q = NULL), > - * MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL) > - */ > - > pktlen = m->m_pkthdr.len; > - if (args->eh == NULL || /* layer 3 packet */ > - ( m->m_pkthdr.len >= sizeof(struct ip) && > - ntohs(args->eh->ether_type) == ETHERTYPE_IP)) > - hlen = ip->ip_hl << 2; > + proto = args->f_id.proto = 0; /* mark f_id invalid */ > > - /* > - * Collect parameters into local variables for faster matching. > - */ > - if (hlen == 0) { /* do not grab addresses for non-ip pkts */ > - proto = args->f_id.proto = 0; /* mark f_id invalid */ > - goto after_ip_checks; > - } > + /* Identify ipv6 packets and fill up variables. */ > + if (pktlen >= sizeof(struct ip6_hdr) && > + (!args->eh || ntohs(args->eh->ether_type)==ETHERTYPE_IPV6) && > + mtod(m, struct ip *)->ip_v == 6) { > + is_ipv6 = 1; > + args->f_id.addr_type = 6; > + hlen = sizeof(struct ip6_hdr); > + proto = mtod(m, struct ip6_hdr *)->ip6_nxt; > > - proto = args->f_id.proto = ip->ip_p; > - src_ip = ip->ip_src; > - dst_ip = ip->ip_dst; > - if (args->eh != NULL) { /* layer 2 packets are as on the wire */ > - offset = ntohs(ip->ip_off) & IP_OFFMASK; > - ip_len = ntohs(ip->ip_len); > - } else { > - offset = ip->ip_off & IP_OFFMASK; > - ip_len = ip->ip_len; > - } > - pktlen = ip_len < pktlen ? ip_len : pktlen; > + /* > + * PULLUP6(len, p, T) makes sure that len + sizeof(T) is > + * contiguous, then it sets p to point at the offset "len" in > + * the mbuf. WARNING: the pointer might become stale after > + * other pullups (but we never use it this way). > + */ > +#define PULLUP6(len, p, T) \ > + do { \ > + int x = (len) + sizeof(T); \ > + if ((m)->m_len < x) { \ > + args->m = m = m_pullup(m, x); \ > + if (m == 0) \ > + goto pullup_failed; \ > + } \ > + p = (mtod(m, char *) + (len)); \ > + } while (0) > + > + /* Search extension headers to find upper layer protocols */ > + while (ulp == NULL) { > + switch (proto) { > + case IPPROTO_ICMPV6: > + PULLUP6(hlen, ulp, struct icmp6_hdr); > + args->f_id.flags = ICMP6(ulp)->icmp6_type; > + break; > + > + case IPPROTO_TCP: > + PULLUP6(hlen, ulp, struct tcphdr); > + dst_port = TCP(ulp)->th_dport; > + src_port = TCP(ulp)->th_sport; > + args->f_id.flags = TCP(ulp)->th_flags; > + break; > + > + case IPPROTO_UDP: > + PULLUP6(hlen, ulp, struct udphdr); > + dst_port = UDP(ulp)->uh_dport; > + src_port = UDP(ulp)->uh_sport; > + break; > + > + case IPPROTO_HOPOPTS: > + PULLUP6(hlen, ulp, struct ip6_hbh); > + ext_hd |= EXT_HOPOPTS; > + hlen += sizeof(struct ip6_hbh); > + proto = ((struct ip6_hbh *)ulp)->ip6h_nxt; > + ulp = NULL; > + break; > + > + case IPPROTO_ROUTING: > + PULLUP6(hlen, ulp, struct ip6_rthdr); > + ext_hd |= EXT_ROUTING; > + hlen += sizeof(struct ip6_rthdr); > + proto = ((struct ip6_rthdr *)ulp)->ip6r_nxt; > + ulp = NULL; > + break; > + > + case IPPROTO_FRAGMENT: > + PULLUP6(hlen, ulp, struct ip6_frag); > + ext_hd |= EXT_FRAGMENT; > + hlen += sizeof (struct ip6_frag); > + proto = ((struct ip6_frag *)ulp)->ip6f_nxt; > + offset = 1; > + ulp = NULL; /* XXX is it correct ? */ > + break; > + > + case IPPROTO_AH: > + case IPPROTO_NONE: > + case IPPROTO_ESP: > + PULLUP6(hlen, ulp, struct ip6_ext); > + if (proto == IPPROTO_AH) > + ext_hd |= EXT_AH; > + else if (proto == IPPROTO_ESP) > + ext_hd |= EXT_ESP; > + hlen += ((struct ip6_ext *)ulp)->ip6e_len + > + sizeof (struct ip6_ext); > + proto = ((struct ip6_ext *)ulp)->ip6e_nxt; > + ulp = NULL; > + break; > > -#define PULLUP_TO(len) \ > - do { \ > - if ((m)->m_len < (len)) { \ > - args->m = m = m_pullup(m, (len)); \ > - if (m == 0) \ > - goto pullup_failed; \ > - ip = mtod(m, struct ip *); \ > - } \ > - } while (0) > + default: > + printf( "IPFW2: IPV6 - Unknown Extension Header (%d)\n", > + proto); > + return 0; /* deny */ > + break; > + } /*switch */ > + } > + args->f_id.src_ip6 = mtod(m,struct ip6_hdr *)->ip6_src; > + args->f_id.dst_ip6 = mtod(m,struct ip6_hdr *)->ip6_dst; > + args->f_id.src_ip = 0; > + args->f_id.dst_ip = 0; > + args->f_id.flow_id6 = ntohs(mtod(m, struct ip6_hdr *)->ip6_flow); > + /* hlen != 0 is used to detect ipv4 packets, so clear it now */ > + hlen = 0; > + } else if (pktlen >= sizeof(struct ip) && > + (!args->eh || ntohs(args->eh->ether_type) == ETHERTYPE_IP) && > + mtod(m, struct ip *)->ip_v == 4) { > + ip = mtod(m, struct ip *); > + hlen = ip->ip_hl << 2; > + args->f_id.addr_type = 4; > > - if (offset == 0) { > - switch (proto) { > - case IPPROTO_TCP: > - { > - struct tcphdr *tcp; > + /* > + * Collect parameters into local variables for faster matching. > + */ > > - PULLUP_TO(hlen + sizeof(struct tcphdr)); > - tcp = L3HDR(struct tcphdr, ip); > - dst_port = tcp->th_dport; > - src_port = tcp->th_sport; > - args->f_id.flags = tcp->th_flags; > - } > - break; > + proto = ip->ip_p; > + src_ip = ip->ip_src; > + dst_ip = ip->ip_dst; > + if (args->eh != NULL) { /* layer 2 packets are as on the wire */ > + offset = ntohs(ip->ip_off) & IP_OFFMASK; > + ip_len = ntohs(ip->ip_len); > + } else { > + offset = ip->ip_off & IP_OFFMASK; > + ip_len = ip->ip_len; > + } > + pktlen = ip_len < pktlen ? ip_len : pktlen; > > - case IPPROTO_UDP: > - { > - struct udphdr *udp; > + if (offset == 0) { > + switch (proto) { > + case IPPROTO_TCP: > + PULLUP6(hlen, ulp, struct tcphdr); > + dst_port = TCP(ulp)->th_dport; > + src_port = TCP(ulp)->th_sport; > + args->f_id.flags = TCP(ulp)->th_flags; > + break; > > - PULLUP_TO(hlen + sizeof(struct udphdr)); > - udp = L3HDR(struct udphdr, ip); > - dst_port = udp->uh_dport; > - src_port = udp->uh_sport; > - } > - break; > + case IPPROTO_UDP: > + PULLUP6(hlen, ulp, struct udphdr); > + dst_port = UDP(ulp)->uh_dport; > + src_port = UDP(ulp)->uh_sport; > + break; > > - case IPPROTO_ICMP: > - PULLUP_TO(hlen + 4); /* type, code and checksum. */ > - args->f_id.flags = L3HDR(struct icmp, ip)->icmp_type; > - break; > + case IPPROTO_ICMP: > + /* > + * we only care for 4 bytes: type, code, > + * checksum > + */ > + PULLUP6(hlen, ulp, struct icmp); > + args->f_id.flags = ICMP(ulp)->icmp_type; > + break; > > - default: > - break; > + default: > + break; > + } > } > -#undef PULLUP_TO > - } > - > - args->f_id.src_ip = ntohl(src_ip.s_addr); > - args->f_id.dst_ip = ntohl(dst_ip.s_addr); > - args->f_id.src_port = src_port = ntohs(src_port); > - args->f_id.dst_port = dst_port = ntohs(dst_port); > > -after_ip_checks: > + args->f_id.src_ip = ntohl(src_ip.s_addr); > + args->f_id.dst_ip = ntohl(dst_ip.s_addr); > + } > + if (proto) { /* we may have port numbers, store them */ > + args->f_id.proto = proto; > + args->f_id.src_port = src_port = ntohs(src_port); > + args->f_id.dst_port = dst_port = ntohs(dst_port); > + } > IPFW_LOCK(chain); /* XXX expensive? can we run lock free? */ > mtag = m_tag_find(m, PACKET_TAG_DIVERT, NULL); > if (args->rule) { > @@ -1926,11 +2145,13 @@ > case O_JAIL: > /* > * We only check offset == 0 && proto != 0, > - * as this ensures that we have an IPv4 > + * as this ensures that we have a > * packet with the ports info. > */ > if (offset!=0) > break; > + if (is_ipv6) /* XXX to be fixed later */ > + break; > if (proto == IPPROTO_TCP || > proto == IPPROTO_UDP) > match = check_uidgid( > @@ -1985,7 +2206,7 @@ > break; > > case O_FRAG: > - match = (hlen > 0 && offset != 0); > + match = (offset != 0); > break; > > case O_IN: /* "out" is "not in" */ > @@ -2087,7 +2308,7 @@ > case O_IP_DSTPORT: > /* > * offset == 0 && proto != 0 is enough > - * to guarantee that we have an IPv4 > + * to guarantee that we have a > * packet with port info. > */ > if ((proto==IPPROTO_UDP || proto==IPPROTO_TCP) > @@ -2107,15 +2328,25 @@ > > case O_ICMPTYPE: > match = (offset == 0 && proto==IPPROTO_ICMP && > - icmptype_match(ip, (ipfw_insn_u32 *)cmd) ); > + icmptype_match(ICMP(ulp), (ipfw_insn_u32 *)cmd) ); > + break; > + > + case O_ICMP6TYPE: > + match = is_ipv6 && offset == 0 && > + proto==IPPROTO_ICMPV6 && > + icmp6type_match( > + ICMP6(ulp)->icmp6_type, > + (ipfw_insn_u32 *)cmd); > break; > > case O_IPOPT: > - match = (hlen > 0 && ipopts_match(ip, cmd) ); > + match = (hlen > 0 && > + ipopts_match(mtod(m, struct ip *), cmd) ); > break; > > case O_IPVER: > - match = (hlen > 0 && cmd->arg1 == ip->ip_v); > + match = (hlen > 0 && > + cmd->arg1 == mtod(m, struct ip *)->ip_v); > break; > > case O_IPID: > @@ -2129,9 +2360,9 @@ > if (cmd->opcode == O_IPLEN) > x = ip_len; > else if (cmd->opcode == O_IPTTL) > - x = ip->ip_ttl; > + x = mtod(m, struct ip *)->ip_ttl; > else /* must be IPID */ > - x = ntohs(ip->ip_id); > + x = ntohs(mtod(m, struct ip *)->ip_id); > if (cmdlen == 1) { > match = (cmd->arg1 == x); > break; > @@ -2146,48 +2377,46 @@ > > case O_IPPRECEDENCE: > match = (hlen > 0 && > - (cmd->arg1 == (ip->ip_tos & 0xe0)) ); > + (cmd->arg1 == (mtod(m, struct ip *)->ip_tos & 0xe0)) ); > break; > > case O_IPTOS: > match = (hlen > 0 && > - flags_match(cmd, ip->ip_tos)); > + flags_match(cmd, mtod(m, struct ip *)->ip_tos)); > break; > > case O_TCPFLAGS: > match = (proto == IPPROTO_TCP && offset == 0 && > - flags_match(cmd, > - L3HDR(struct tcphdr,ip)->th_flags)); > + flags_match(cmd, TCP(ulp)->th_flags)); > break; > > case O_TCPOPTS: > match = (proto == IPPROTO_TCP && offset == 0 && > - tcpopts_match(ip, cmd)); > + tcpopts_match(TCP(ulp), cmd)); > break; > > case O_TCPSEQ: > match = (proto == IPPROTO_TCP && offset == 0 && > ((ipfw_insn_u32 *)cmd)->d[0] == > - L3HDR(struct tcphdr,ip)->th_seq); > + TCP(ulp)->th_seq); > break; > > case O_TCPACK: > match = (proto == IPPROTO_TCP && offset == 0 && > ((ipfw_insn_u32 *)cmd)->d[0] == > - L3HDR(struct tcphdr,ip)->th_ack); > + TCP(ulp)->th_ack); > break; > > case O_TCPWIN: > match = (proto == IPPROTO_TCP && offset == 0 && > - cmd->arg1 == > - L3HDR(struct tcphdr,ip)->th_win); > + cmd->arg1 == TCP(ulp)->th_win); > break; > > case O_ESTAB: > /* reject packets which have SYN only */ > /* XXX should i also check for TH_ACK ? */ > match = (proto == IPPROTO_TCP && offset == 0 && > - (L3HDR(struct tcphdr,ip)->th_flags & > + ( TCP(ulp)->th_flags & > (TH_RST | TH_ACK | TH_SYN)) != TH_SYN); > break; > > @@ -2203,8 +2432,12 @@ > > case O_VERREVPATH: > /* Outgoing packets automatically pass/match */ > - match = (hlen > 0 && ((oif != NULL) || > + /* XXX BED: verify_path was verify_rev_path in the diff... */ > + match = ((oif != NULL) || > (m->m_pkthdr.rcvif == NULL) || > + (is_ipv6 ? > + verify_rev_path6(&(args->f_id.src_ip6), > + m->m_pkthdr.rcvif) : > verify_path(src_ip, m->m_pkthdr.rcvif))); > break; > > @@ -2235,6 +2468,60 @@ > /* otherwise no match */ > break; > > + case O_IP6_SRC: > + match = is_ipv6 && > + IN6_ARE_ADDR_EQUAL(&args->f_id.src_ip6, > + &((ipfw_insn_ip6 *)cmd)->addr6); > + break; > + > + case O_IP6_DST: > + match = is_ipv6 && > + IN6_ARE_ADDR_EQUAL(&args->f_id.dst_ip6, > + &((ipfw_insn_ip6 *)cmd)->addr6); > + break; > + case O_IP6_SRC_MASK: > + if (is_ipv6) { > + ipfw_insn_ip6 *te = (ipfw_insn_ip6 *)cmd; > + struct in6_addr p = args->f_id.src_ip6; > + > + APPLY_MASK(&p, &te->mask6); > + match = IN6_ARE_ADDR_EQUAL(&te->addr6, &p); > + } > + break; > + > + case O_IP6_DST_MASK: > + if (is_ipv6) { > + ipfw_insn_ip6 *te = (ipfw_insn_ip6 *)cmd; > + struct in6_addr p = args->f_id.dst_ip6; > + > + APPLY_MASK(&p, &te->mask6); > + match = IN6_ARE_ADDR_EQUAL(&te->addr6, &p); > + } > + break; > + > + case O_IP6_SRC_ME: > + match= is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6); > + break; > + > + case O_IP6_DST_ME: > + match= is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6); > + break; > + > + case O_FLOW6ID: > + match = is_ipv6 && > + flow6id_match(args->f_id.flow_id6, > + (ipfw_insn_u32 *) cmd); > + break; > + > + case O_EXT_HDR: > + match = is_ipv6 && > + (ext_hd & ((ipfw_insn *) cmd)->arg1); > + break; > + > + case O_IP6: > + match = is_ipv6; > + break; > + > /* > * The second set of opcodes represents 'actions', > * i.e. the terminal part of a rule once the packet > @@ -2297,7 +2584,7 @@ > if (dyn_dir == MATCH_UNKNOWN && > (q = lookup_dyn_rule(&args->f_id, > &dyn_dir, proto == IPPROTO_TCP ? > - L3HDR(struct tcphdr, ip) : NULL)) > + TCP(ulp) : NULL)) > != NULL) { > /* > * Found dynamic entry, update stats > @@ -2378,7 +2665,7 @@ > */ > if (hlen > 0 && > (proto != IPPROTO_ICMP || > - is_icmp_query(ip)) && > + is_icmp_query(ICMP(ulp))) && > !(m->m_flags & (M_BCAST|M_MCAST)) && > !IN_MULTICAST(ntohl(dst_ip.s_addr))) { > send_reject(args, cmd->arg1, > @@ -2859,6 +3146,10 @@ > case O_VERSRCREACH: > case O_ANTISPOOF: > case O_IPSEC: > + case O_IP6_SRC_ME: > + case O_IP6_DST_ME: > + case O_EXT_HDR: > + case O_IP6: > if (cmdlen != F_INSN_SIZE(ipfw_insn)) > goto bad_size; > break; > @@ -2985,9 +3276,32 @@ > return EINVAL; > } > break; > + case O_IP6_SRC: > + case O_IP6_DST: > + if (cmdlen != F_INSN_SIZE(struct in6_addr) + > + F_INSN_SIZE(ipfw_insn)) > + goto bad_size; > + break; > + > + case O_FLOW6ID: > + if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + > + ((ipfw_insn_u32 *)cmd)->o.arg1) > + goto bad_size; > + break; > + > + case O_IP6_SRC_MASK: > + case O_IP6_DST_MASK: > + if ( !(cmdlen & 1) || cmdlen > 127) > + goto bad_size; > + break; > + case O_ICMP6TYPE: > + if( cmdlen != F_INSN_SIZE( ipfw_insn_icmp6 ) ) > + goto bad_size; > + break; > + > default: > printf("ipfw: opcode %d, unknown opcode\n", > - cmd->opcode); > + cmd->opcode); > return EINVAL; > } > } > @@ -3379,7 +3693,7 @@ > } > > ip_fw_default_rule = layer3_chain.rules; > - printf("ipfw2 initialized, divert %s, " > + printf("ipfw2 (+ipv6) initialized, divert %s, " > "rule-based forwarding " > #ifdef IPFIREWALL_FORWARD > "enabled, " > --- ../cleanup/sys/netinet/ip_fw_pfil.c Fri Aug 27 15:18:18 2004 > +++ sys/netinet/ip_fw_pfil.c Thu Sep 2 22:37:05 2004 > @@ -31,6 +31,7 @@ > #include "opt_ipdn.h" > #include "opt_ipdivert.h" > #include "opt_inet.h" > +#include "opt_inet6.h" > #ifndef INET > #error IPFIREWALL requires INET. > #endif /* INET */ > @@ -111,7 +112,10 @@ > goto pass; > > if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) != 0) { > - ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_IN, &args); > + if (mtod(*m0, struct ip *)->ip_v == 4) > + ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_IN, &args); > + else if (mtod(*m0, struct ip *)->ip_v == 6) > + ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP6_IN, &args); > *m0 = NULL; > return 0; /* packet consumed */ > } > @@ -194,7 +198,10 @@ > goto pass; > > if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) != 0) { > - ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_OUT, &args); > + if (mtod(*m0, struct ip *)->ip_v == 4) > + ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_OUT, &args); > + else if (mtod(*m0, struct ip *)->ip_v == 6) > + ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP6_OUT, &args); > *m0 = NULL; > return 0; /* packet consumed */ > } > @@ -326,6 +333,9 @@ > ipfw_hook(void) > { > struct pfil_head *pfh_inet; > +#ifdef INET6 > + struct pfil_head *pfh_inet6; > +#endif > > if (ipfw_pfil_hooked) > return EEXIST; > @@ -333,9 +343,18 @@ > pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); > if (pfh_inet == NULL) > return ENOENT; > +#ifdef INET6 > + pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); > + if (pfh_inet6 == NULL) > + return ENOENT; > +#endif > > pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); > pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); > +#ifdef INET6 > + pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); > + pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); > +#endif > > return 0; > } > @@ -344,6 +363,9 @@ > ipfw_unhook(void) > { > struct pfil_head *pfh_inet; > +#ifdef INET6 > + struct pfil_head *pfh_inet6; > +#endif > > if (!ipfw_pfil_hooked) > return ENOENT; > @@ -351,9 +373,18 @@ > pfh_inet = pfil_head_get(PFIL_TYPE_AF, AF_INET); > if (pfh_inet == NULL) > return ENOENT; > +#ifdef INET6 > + pfh_inet6 = pfil_head_get(PFIL_TYPE_AF, AF_INET6); > + if (pfh_inet6 == NULL) > + return ENOENT; > +#endif > > pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); > pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); > +#ifdef INET6 > + pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); > + pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); > +#endif > > return 0; > } > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > > -------------------------------------------------------------------------------- > Part 1.2Type: application/pgp-signature From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 6 09:27:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F68A16A4CE; Mon, 6 Sep 2004 09:27:26 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE2EE43D46; Mon, 6 Sep 2004 09:27:25 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i869RPIb028450; Mon, 6 Sep 2004 02:27:25 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i869RP0d028449; Mon, 6 Sep 2004 02:27:25 -0700 (PDT) (envelope-from rizzo) Date: Mon, 6 Sep 2004 02:27:25 -0700 From: Luigi Rizzo To: Andre Oppermann Message-ID: <20040906022724.A28424@xorpc.icir.org> References: <20040903215137.GA26762@odin.ac.hmc.edu> <413B9CC5.21E7B776@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <413B9CC5.21E7B776@freebsd.org>; from andre@freebsd.org on Mon, Sep 06, 2004 at 01:09:57AM +0200 cc: Brooks Davis cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 for IPV6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2004 09:27:26 -0000 On Mon, Sep 06, 2004 at 01:09:57AM +0200, Andre Oppermann wrote: ... > Repeat after me with the voice of Gollum "must not reference or carry > on any pointers to rtentry's through ipfw or dummynet... my preciousss...". that is an artifact of the old ipfw/dummynet struct. if i will ever complete my arp work then all this should go away. > ;-) > > PS: What about ipfw6? i suppose that should go away too, since ipfw2 is a superset of ipfw6 (which is really a subset of ipfw1 for ipv6) cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 6 11:03:36 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F405416A4CE for ; Mon, 6 Sep 2004 11:03:35 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EACB943D48 for ; Mon, 6 Sep 2004 11:03:35 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i86B3ZcN094815 for ; Mon, 6 Sep 2004 11:03:35 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i86B3Yvi094809 for ipfw@freebsd.org; Mon, 6 Sep 2004 11:03:34 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 6 Sep 2004 11:03:34 GMT Message-Id: <200409061103.i86B3Yvi094809@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2004 11:03:36 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct 5 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already 8 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 6 17:35:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D60E816A4CE for ; Mon, 6 Sep 2004 17:35:45 +0000 (GMT) Received: from web40413.mail.yahoo.com (web40413.mail.yahoo.com [66.218.78.110]) by mx1.FreeBSD.org (Postfix) with SMTP id C191A43D48 for ; Mon, 6 Sep 2004 17:35:45 +0000 (GMT) (envelope-from c0sine@yahoo.com) Message-ID: <20040906173545.91306.qmail@web40413.mail.yahoo.com> Received: from [69.196.154.220] by web40413.mail.yahoo.com via HTTP; Mon, 06 Sep 2004 10:35:45 PDT Date: Mon, 6 Sep 2004 10:35:45 -0700 (PDT) From: George S To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: ipfw dynamic tcp rule issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Sep 2004 17:35:46 -0000 Hello all, I've been having some trouble with this strange ipfw configuration and I am pretty sure it is probably a bug. I posted a note to freebsd-ipfw a little while ago, but I think the problem is better demonstrated with a figure. If anyone can take a look at this, I would be very appreciative. Kindest regards, George __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 07:19:57 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF26916A4CE; Tue, 7 Sep 2004 07:19:57 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2EA4343D39; Tue, 7 Sep 2004 07:19:57 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1C4aGe-0005bD-00; Tue, 07 Sep 2004 09:19:52 +0200 To: George S From: Ian FREISLICH In-Reply-To: Message from George S <20040906173545.91306.qmail@web40413.mail.yahoo.com> Date: Tue, 07 Sep 2004 09:19:52 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: ipfw dynamic tcp rule issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 07:19:58 -0000 George S wrote: > Hello all, > > I've been having some trouble with this strange ipfw configuration and I am > pretty sure it is probably a bug. I posted a note to freebsd-ipfw a little > while ago, but I think the problem is better demonstrated with a figure. Are you sure that you perormed the test you described and the results (count updated etc) actually occured? I would expect rule 9 to catch the packet on its way back and rule 11 never to be triggered. Maybe rule 9 should be a checkstate rule. Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 12:36:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BAE516A4CE for ; Tue, 7 Sep 2004 12:36:01 +0000 (GMT) Received: from web40405.mail.yahoo.com (web40405.mail.yahoo.com [66.218.78.102]) by mx1.FreeBSD.org (Postfix) with SMTP id E9FB343D39 for ; Tue, 7 Sep 2004 12:36:00 +0000 (GMT) (envelope-from c0sine@yahoo.com) Message-ID: <20040907123600.11325.qmail@web40405.mail.yahoo.com> Received: from [69.196.154.220] by web40405.mail.yahoo.com via HTTP; Tue, 07 Sep 2004 05:36:00 PDT Date: Tue, 7 Sep 2004 05:36:00 -0700 (PDT) From: George S To: Ian FREISLICH In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: ipfw dynamic tcp rule issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 12:36:01 -0000 Hi Ian, Thanks for your response. Yes, the behaviour is exactly as I describe. What happens is that on its way back, the SYN+ACK packet with DST IP/PORT 10.0.0.2 and SRC IP/PORT 69.196.154.5/80 hits rule #1 where there is a keep-state. This causes ipfw to check all dynamic rules implicitly (as per the ipfw manpage). Since the SYN+ACK packet is part of a recently setup connection, there is a skipto to rule #10. Rule #10 does not match because there SRC/DST are not correct, so it then passes to rule #11, which does match (and its counters are updated). The problem is that the packet never finds itself on the fxp0 wire. I will give your check-state suggestion a try but I think the check-state is implicit within rule #1. Kindest regards, George --- Ian FREISLICH wrote: > George S wrote: > > Hello all, > > > > I've been having some trouble with this strange ipfw configuration and I > am > > pretty sure it is probably a bug. I posted a note to freebsd-ipfw a > little > > while ago, but I think the problem is better demonstrated with a figure. > http://www.geocities.com/c0sine/fbsdipfw.gif > Are you sure that you perormed the test you described and the results > (count updated etc) actually occured? I would expect rule 9 to > catch the packet on its way back and rule 11 never to be triggered. > > Maybe rule 9 should be a checkstate rule. > > Ian > > -- > Ian Freislich > _______________________________ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 13:49:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 437C016A4CE for ; Tue, 7 Sep 2004 13:49:24 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19C2B43D1D for ; Tue, 7 Sep 2004 13:49:24 +0000 (GMT) (envelope-from brisbanebsd@mac.com) Received: from mac.com (webmail13-en1 [10.13.10.119]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i87DnNkN004793 for ; Tue, 7 Sep 2004 06:49:23 -0700 (PDT) Received: from webmail13 (localhost [127.0.0.1]) by mac.com (Xserve/webmail13/MantshX 4.0) with ESMTP id i87DnMXO022148 for ; Tue, 7 Sep 2004 06:49:23 -0700 (PDT) Message-ID: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> Date: Tue, 07 Sep 2004 23:49:22 +1000 From: brisbanebsd@mac.com To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Originating-IP: 203.113.210.222, 202.45.107.1/instID=64 Subject: simple mac address filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 13:49:24 -0000 hi all - i am not sure where to post this question, I am trying to set up my first ipfw rule, but I just cannot get it to work. I need to set up MAC filtering on a 5.2.1 Freebsd box. I am using the command ipfw add allow ip from any to any mac any 00:0d:93:81:82:1e I am just trying to allow traffic ( at this stage) one machine to the freebsd box. If I use ipfw add allow ip from any to any I can ping from the above NIC, when I add the first rule ( as in first example above ) it stops. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 15:08:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33C3B16A4CE; Tue, 7 Sep 2004 15:08:14 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id A778B43D48; Tue, 7 Sep 2004 15:08:13 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1C4hUx-0007tW-00; Tue, 07 Sep 2004 17:03:07 +0200 To: George S From: Ian FREISLICH In-reply-to: Your message of "Tue, 07 Sep 2004 05:36:00 MST." <20040907123600.11325.qmail@web40405.mail.yahoo.com> X-Attribution: BOFH Date: Tue, 07 Sep 2004 17:03:07 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: ipfw dynamic tcp rule issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 15:08:14 -0000 George S wrote: > Hi Ian, > > Thanks for your response. > > Yes, the behaviour is exactly as I describe. What happens is that on its way > back, the SYN+ACK packet with DST IP/PORT 10.0.0.2 and SRC IP/PORT > 69.196.154.5/80 hits rule #1 where there is a keep-state. This causes ipfw > to check all dynamic rules implicitly (as per the ipfw manpage). > > Since the SYN+ACK packet is part of a recently setup connection, there is a > skipto to rule #10. Rule #10 does not match because there SRC/DST are not > correct, so it then passes to rule #11, which does match (and its counters > are updated). > > The problem is that the packet never finds itself on the fxp0 wire. I will > give your check-state suggestion a try but I think the check-state is > implicit within rule #1. I thought you had to explicitly state the check-state. Anyway, I've just noticed that your last rule is #65655 which is higher than the max for an unsigned short. Depending how this overflow is handled, you might get odd behaviour. This might just result in the packet being denied by the default deny rule on the way out of fxp0. Try adding a rule just before the default deny to log matches. It's almost always useful to do this anyway when playing with the ruleset until everything works. I would have done the rules as follows: ipfw add 00010 fwd 10.0.0.1 tcp from 10.0.0.2 to any in via fxp0 ipfw add 00020 fwd 192.168.1.1 tcp from any to 10.0.0.2 in via fxp1 ipfw add 65534 allow ip from any to any Is there any particular reason for wanting a stateful firewall in this case? Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 20:28:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1D9A16A4CE for ; Tue, 7 Sep 2004 20:28:51 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 521F243D41 for ; Tue, 7 Sep 2004 20:28:51 +0000 (GMT) (envelope-from RoKlein@roklein.de) Received: from [212.227.126.206] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1C4maA-00047u-00 for freebsd-ipfw@freebsd.org; Tue, 07 Sep 2004 22:28:50 +0200 Received: from [80.129.56.228] (helo=z105.roklein.de) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1C4ma9-0000EE-00 for freebsd-ipfw@freebsd.org; Tue, 07 Sep 2004 22:28:49 +0200 From: Robert Klein Organization: roklein.de To: freebsd-ipfw@freebsd.org Date: Tue, 7 Sep 2004 22:28:43 +0200 User-Agent: KMail/1.6.1 References: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> In-Reply-To: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200409072228.43818.RoKlein@roklein.de> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:ed18d71deac0f49a40655750752d3db9 Subject: Re: simple mac address filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: RoKlein@roklein.de List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 20:28:52 -0000 Hi, On Dienstag, 7. September 2004 15:49, brisbanebsd@mac.com wrote: > hi all - i am not sure where to post this question, I am > trying to set up my first ipfw rule, but I just cannot get it > to work. > > I need to set up MAC filtering on a 5.2.1 Freebsd box. I am > using the command > > ipfw add allow ip from any to any mac any 00:0d:93:81:82:1e > > I am just trying to allow traffic ( at this stage) one machine > to the freebsd box. > > If I use > > ipfw add allow ip from any to any > > I can ping from the above NIC, when I add the first rule ( as > in first example above ) it stops. Your problem is, you're "mixing" rules. You see, when a packet enters your computer IPFW (IPFW2, that is) rules are checked twice, first at layer two, and later at layer three. Your first rule doesn't allow anything, because it fails at both tests: The first one fails, because there are no "IP" packets at layer two. The second one fails, because there are no MAC addresses at layer three. To get a better illustration of when the ruleset is checked, please read the section "PACKET FLOW" in the IPFW(8) man page. Please ensure youve set the necessary system variables net.inet.ip.fw.enable=1 and net.link.ether.ipfw=1 to enable packet checking at level three and two, respectively. Please see the script below; it is the one I use to allow access by MAC address. The first rule applying to your case is $IPFW add allow all from any to any not layer2 which says "pass all IP traffic through". I'm not doing any filtering at IP level with IPFW2, so I can safely do this. The next rule is $IPFW add allow layer2 out via em0 where I'm allowing all traffic out from the filtering box, regardless of MAC address. The third rule is $IPFW add allow MAC any 00:0d:93:81:82:1e in via em0 where I allow the MAC stated there to pass the filter. My last rule there is $IPFW add deny log logamount 0 MAC any any in via em0 which I use to get a logfile of every user using an unregistered MAC address... #!/bin/sh IPFW=/sbin/ipfw # ALL="add allow all from any to any MAC any " ALL="add allow MAC any " EM="in via em0" $IPFW -q flush $IPFW -q pipe flush # allow everything not on layer 2 $IPFW add allow all from any to any not layer2 # localhost traffic $IPFW add allow layer2 via lo0 # outbound interface $IPFW add allow layer2 via fxp0 # out via em0; $IPFW add allow layer2 out via em0 # in via em0; hostile internal network $IPFW $ALL 00:0d:93:81:82:1e $EM # some 40 other rules like the one before $IPFW add deny log logamount 0 MAC any any $EM Regards, Robert From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 21:02:50 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C4E216A4CE for ; Tue, 7 Sep 2004 21:02:50 +0000 (GMT) Received: from out009.verizon.net (out009pub.verizon.net [206.46.170.131]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEA7543D1F for ; Tue, 7 Sep 2004 21:02:49 +0000 (GMT) (envelope-from skip.ford@verizon.net) Received: from pool-70-17-33-17.pskn.east.verizon.net ([70.17.33.17]) by out009.verizon.netESMTP <20040907210248.KXXC23440.out009.verizon.net@pool-70-17-33-17.pskn.east.verizon.net>; Tue, 7 Sep 2004 16:02:49 -0500 Date: Tue, 7 Sep 2004 17:02:45 -0400 From: Skip Ford To: brisbanebsd@mac.com Message-ID: <20040907210245.GA587@lucy.pool-70-17-33-17.pskn.east.verizon.net> References: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> User-Agent: Mutt/1.4.2.1i X-Authentication-Info: Submitted using SMTP AUTH at out009.verizon.net from [70.17.33.17] at Tue, 7 Sep 2004 16:02:48 -0500 cc: freebsd-ipfw@freebsd.org Subject: Re: simple mac address filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 21:02:50 -0000 brisbanebsd@mac.com wrote: > I need to set up MAC filtering on a 5.2.1 Freebsd box. Have you enabled it by setting net.link.ether.ipfw to 1? > ipfw add allow ip from any to any mac any 00:0d:93:81:82:1e Your rule works fine here. # ipfw add 10 allow ip from any to any mac 00:50:bf:d3:5a:2f any 00010 allow ip from any to any MAC 00:50:bf:d3:5a:2f any # ipfw show 10 00010 0 0 allow ip from any to any MAC 00:50:bf:d3:5a:2f any # sysctl net.link.ether.ipfw=1 net.link.ether.ipfw: 0 -> 1 # ipfw show 10 00010 351 514213 allow ip from any to any MAC 00:50:bf:d3:5a:2f any -- Skip From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 21:12:49 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0893416A4CE for ; Tue, 7 Sep 2004 21:12:49 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id C199343D3F for ; Tue, 7 Sep 2004 21:12:48 +0000 (GMT) (envelope-from RoKlein@roklein.de) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1C4nGh-0005Yk-00 for freebsd-ipfw@freebsd.org; Tue, 07 Sep 2004 23:12:47 +0200 Received: from [80.129.56.228] (helo=z105.roklein.de) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1C4nGh-0002nY-00 for freebsd-ipfw@freebsd.org; Tue, 07 Sep 2004 23:12:47 +0200 From: Robert Klein Organization: roklein.de To: freebsd-ipfw@freebsd.org Date: Tue, 7 Sep 2004 23:12:46 +0200 User-Agent: KMail/1.6.1 References: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> <20040907210245.GA587@lucy.pool-70-17-33-17.pskn.east.verizon.net> In-Reply-To: <20040907210245.GA587@lucy.pool-70-17-33-17.pskn.east.verizon.net> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200409072312.46887.RoKlein@roklein.de> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:ed18d71deac0f49a40655750752d3db9 Subject: Re: simple mac address filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: RoKlein@roklein.de List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 21:12:49 -0000 On Dienstag, 7. September 2004 23:02, Skip Ford wrote: > brisbanebsd@mac.com wrote: > > I need to set up MAC filtering on a 5.2.1 Freebsd box. > > Have you enabled it by setting net.link.ether.ipfw to 1? > > > ipfw add allow ip from any to any mac any 00:0d:93:81:82:1e > > Your rule works fine here. > > # ipfw add 10 allow ip from any to any mac 00:50:bf:d3:5a:2f > any 00010 allow ip from any to any MAC 00:50:bf:d3:5a:2f any # > ipfw show 10 > 00010 0 0 allow ip from any to any MAC > 00:50:bf:d3:5a:2f any # sysctl net.link.ether.ipfw=1 > net.link.ether.ipfw: 0 -> 1 > # ipfw show 10 > 00010 351 514213 allow ip from any to any MAC > 00:50:bf:d3:5a:2f any umm... if I think this should not work.. except you have options IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel config file. Could you please check and tell us? Regards, Robert From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 7 21:46:08 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6FB216A4CE for ; Tue, 7 Sep 2004 21:46:08 +0000 (GMT) Received: from out005.verizon.net (out005pub.verizon.net [206.46.170.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CF6443D49 for ; Tue, 7 Sep 2004 21:46:08 +0000 (GMT) (envelope-from skip.ford@verizon.net) Received: from pool-70-17-33-17.pskn.east.verizon.net ([70.17.33.17]) by out005.verizon.netESMTP <20040907214607.YLLR7520.out005.verizon.net@pool-70-17-33-17.pskn.east.verizon.net> for ; Tue, 7 Sep 2004 16:46:07 -0500 Date: Tue, 7 Sep 2004 17:46:06 -0400 From: Skip Ford To: freebsd-ipfw@freebsd.org Message-ID: <20040907214606.GA2502@lucy.pool-70-17-33-17.pskn.east.verizon.net> Mail-Followup-To: freebsd-ipfw@freebsd.org References: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> <20040907210245.GA587@lucy.pool-70-17-33-17.pskn.east.verizon.net> <200409072312.46887.RoKlein@roklein.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200409072312.46887.RoKlein@roklein.de> User-Agent: Mutt/1.4.2.1i X-Authentication-Info: Submitted using SMTP AUTH at out005.verizon.net from [70.17.33.17] at Tue, 7 Sep 2004 16:46:07 -0500 Subject: Re: simple mac address filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 21:46:08 -0000 Robert Klein wrote: > On Dienstag, 7. September 2004 23:02, Skip Ford wrote: > > brisbanebsd@mac.com wrote: > > > I need to set up MAC filtering on a 5.2.1 Freebsd box. > > > > Have you enabled it by setting net.link.ether.ipfw to 1? > > > > > ipfw add allow ip from any to any mac any 00:0d:93:81:82:1e > > > > Your rule works fine here. > > > > # ipfw add 10 allow ip from any to any mac 00:50:bf:d3:5a:2f > > any 00010 allow ip from any to any MAC 00:50:bf:d3:5a:2f any # > > ipfw show 10 > > 00010 0 0 allow ip from any to any MAC > > 00:50:bf:d3:5a:2f any # sysctl net.link.ether.ipfw=1 > > net.link.ether.ipfw: 0 -> 1 > > # ipfw show 10 > > 00010 351 514213 allow ip from any to any MAC > > 00:50:bf:d3:5a:2f any > > umm... if I think this should not work.. except you have > options IPFIREWALL_DEFAULT_TO_ACCEPT > in your kernel config file. Could you please check and tell us? No, it denies but I have other layer 3 rules that allow it. It didn't occur to me the OP was trying to hit both layers with a single rule. -- Skip From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 8 17:40:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E7D516A4CF for ; Wed, 8 Sep 2004 17:40:24 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCD6343D2F for ; Wed, 8 Sep 2004 17:40:23 +0000 (GMT) (envelope-from RoKlein@roklein.de) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1C56Qh-0007k6-00 for freebsd-ipfw@freebsd.org; Wed, 08 Sep 2004 19:40:23 +0200 Received: from [80.129.43.28] (helo=z105.roklein.de) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1C56Qg-0006It-00 for freebsd-ipfw@freebsd.org; Wed, 08 Sep 2004 19:40:22 +0200 From: Robert Klein Organization: roklein.de To: freebsd-ipfw@freebsd.org Date: Wed, 8 Sep 2004 19:40:20 +0200 User-Agent: KMail/1.6.1 References: <5213605.1094564962778.JavaMail.brisbanebsd@mac.com> <200409072312.46887.RoKlein@roklein.de> <20040907214606.GA2502@lucy.pool-70-17-33-17.pskn.east.verizon.net> In-Reply-To: <20040907214606.GA2502@lucy.pool-70-17-33-17.pskn.east.verizon.net> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200409081940.20091.RoKlein@roklein.de> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:ed18d71deac0f49a40655750752d3db9 Subject: Re: simple mac address filter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: RoKlein@roklein.de List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 17:40:24 -0000 On Dienstag, 7. September 2004 23:46, Skip Ford wrote: > Robert Klein wrote: > > umm... if I think this should not work.. except you have > > options IPFIREWALL_DEFAULT_TO_ACCEPT > > in your kernel config file. Could you please check and tell > > us? > > No, it denies but I have other layer 3 rules that allow it. > It didn't occur to me the OP was trying to hit both layers > with a single rule. :) It wouldn't have occurred to me either if I hadn't made the same mistake myself... :P Robert From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 8 23:04:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 633AB16A4CF for ; Wed, 8 Sep 2004 23:04:30 +0000 (GMT) Received: from web40409.mail.yahoo.com (web40409.mail.yahoo.com [66.218.78.106]) by mx1.FreeBSD.org (Postfix) with SMTP id 5082643D2D for ; Wed, 8 Sep 2004 23:04:30 +0000 (GMT) (envelope-from c0sine@yahoo.com) Message-ID: <20040908230429.35820.qmail@web40409.mail.yahoo.com> Received: from [69.196.154.220] by web40409.mail.yahoo.com via HTTP; Wed, 08 Sep 2004 16:04:29 PDT Date: Wed, 8 Sep 2004 16:04:29 -0700 (PDT) From: George S To: Ian FREISLICH In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: ipfw dynamic tcp rule issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 23:04:30 -0000 Hi Ian, --- Ian FREISLICH wrote: > George S wrote: > > Hi Ian, > > > > Thanks for your response. > > > > Yes, the behaviour is exactly as I describe. What happens is that on its > way > > back, the SYN+ACK packet with DST IP/PORT 10.0.0.2 and SRC IP/PORT > > 69.196.154.5/80 hits rule #1 where there is a keep-state. This causes > ipfw > > to check all dynamic rules implicitly (as per the ipfw manpage). > > > > Since the SYN+ACK packet is part of a recently setup connection, there > is a > > skipto to rule #10. Rule #10 does not match because there SRC/DST are > not > > correct, so it then passes to rule #11, which does match (and its > counters > > are updated). > > > > The problem is that the packet never finds itself on the fxp0 wire. I > will > > give your check-state suggestion a try but I think the check-state is > > implicit within rule #1. > > http://www.geocities.com/c0sine/fbsdipfw.gif > > I thought you had to explicitly state the check-state. Anyway, > I've just noticed that your last rule is #65655 which is higher > than the max for an unsigned short. Depending how this overflow > is handled, you might get odd behaviour. This might just result > in the packet being denied by the default deny rule on the way out > of fxp0. Try adding a rule just before the default deny to log > matches. It's almost always useful to do this anyway when playing > with the ruleset until everything works. Sorry, that was a typo on my part... the the last rule should be #65534. In any event, the packet rule counters are zero for this rule anyway. > I would have done the rules as follows: > > ipfw add 00010 fwd 10.0.0.1 tcp from 10.0.0.2 to any in via fxp0 > ipfw add 00020 fwd 192.168.1.1 tcp from any to 10.0.0.2 in via fxp1 > ipfw add 65534 allow ip from any to any > > Is there any particular reason for wanting a stateful firewall in > this case? Yes, it is to differentiate between the following cases of returning SYN+ACK packets received by fxp1: 1. A packet that is responding to the SYN packet originating from A (src ip 10.0.0.2) 2. A packet that is responding to a SYN packet originating from B (also with src ip 10.0.0.2) Indeed this works, because if I send my test SYN packet from B (src ip 10.0.0.2), the returning SYN+ACK triggers rule #9 (allow ip from any to any) and the packet is not forwarded out the fxp0 interface. I am still at a loss as to why the packet counts get updated and yet the packet itself is not written out on the wire. Any other suggestions? Kindest regards, George S __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 10:33:21 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF6DB16A4CE; Thu, 9 Sep 2004 10:33:21 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 08F0F43D39; Thu, 9 Sep 2004 10:33:21 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1C5MEu-000Ga8-00; Thu, 09 Sep 2004 12:33:16 +0200 To: George S From: Ian FREISLICH In-Reply-To: Message from George S <20040908230429.35820.qmail@web40409.mail.yahoo.com> Date: Thu, 09 Sep 2004 12:33:16 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: freebsd-ipfw@freebsd.org cc: freebsd-net@freebsd.org Subject: Re: ipfw dynamic tcp rule issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2004 10:33:21 -0000 George S wrote: > > I thought you had to explicitly state the check-state. Anyway, > > I've just noticed that your last rule is #65655 which is higher > > than the max for an unsigned short. Depending how this overflow > > is handled, you might get odd behaviour. This might just result > > in the packet being denied by the default deny rule on the way out > > of fxp0. Try adding a rule just before the default deny to log > > matches. It's almost always useful to do this anyway when playing > > with the ruleset until everything works. > > Sorry, that was a typo on my part... the the last rule should be #65534. In > any event, the packet rule counters are zero for this rule anyway. > > > I would have done the rules as follows: > > > > ipfw add 00010 fwd 10.0.0.1 tcp from 10.0.0.2 to any in via fxp0 > > ipfw add 00020 fwd 192.168.1.1 tcp from any to 10.0.0.2 in via fxp1 > > ipfw add 65534 allow ip from any to any > > > > Is there any particular reason for wanting a stateful firewall in > > this case? > > Yes, it is to differentiate between the following cases of returning SYN+ACK > packets received by fxp1: > > 1. A packet that is responding to the SYN packet originating from A (src ip > 10.0.0.2) > 2. A packet that is responding to a SYN packet originating from B (also with > src ip 10.0.0.2) > > Indeed this works, because if I send my test SYN packet from B (src ip > 10.0.0.2), the returning SYN+ACK triggers rule #9 (allow ip from any to any) > and the packet is not forwarded out the fxp0 interface. > > I am still at a loss as to why the packet counts get updated and yet the > packet itself is not written out on the wire. Any other suggestions? Did you try the logging deny rule? If you did, then I am out of ideas. Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 9 15:41:19 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FA9916A4CE for ; Thu, 9 Sep 2004 15:41:19 +0000 (GMT) Received: from maiden.cocacolic.org (190.80-202-30.nextgentel.com [80.202.30.190]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F3B543D31 for ; Thu, 9 Sep 2004 15:41:19 +0000 (GMT) (envelope-from fredrik@maiden.cocacolic.org) Received: from localhost ([127.0.0.1] helo=maiden.cocacolic.org) by maiden.cocacolic.org with esmtp (Exim 4.41 (FreeBSD)) id 1C5R2w-0003uh-RN for freebsd-ipfw@freebsd.org; Thu, 09 Sep 2004 17:41:15 +0200 Received: (from fredrik@localhost) by maiden.cocacolic.org (8.12.11/8.12.11/Submit) id i89FfDLp015046 for freebsd-ipfw@freebsd.org; Thu, 9 Sep 2004 17:41:14 +0200 (CEST) (envelope-from fredrik) Date: Thu, 9 Sep 2004 17:41:13 +0200 From: Fredrik Bredeli To: freebsd-ipfw@freebsd.org Message-ID: <20040909154112.GA14865@maiden.cocacolic.org> Mail-Followup-To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Queues refuse to use more than one pipe X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2004 15:41:19 -0000 Hello, I am trying to limit bandwitdth to spesifik services/IP-adresses, but when I try to use a queue with an other pipe than pipe 1, i get this error: ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Invalid argument # My downloadpipe ${fwcmd} pipe 1 config bw 2450Kbit/s # My uploadpipe ${fwcmd} pipe 2 config bw 550Kbit/s ### Queues ### ${fwcmd} queue 1 config weight 70 pipe 1 # UDP-traffic echo pipe 1 ${fwcmd} queue 2 config weight 1 pipe 2 # HTTPD, FTPD <- error echo pipe 2 Here comes the weird part; I switched name on the pipes: # My downloadpipe ${fwcmd} pipe 2 config bw 2450Kbit/s # My uploadpipe ${fwcmd} pipe 1 config bw 550Kbit/s ### Queues ### ${fwcmd} queue 1 config weight 70 pipe 2 # UDP-traffic <- error echo pipe 2 ${fwcmd} queue 2 config weight 1 pipe 1 # HTTPD, FTPD echo pipe 1 It looks like queues only accept pipe 1, even though pipe 2 is identical (I tested that too). Could anyone explain to me what I am doing wrong? I am running FreeBSD 4.10-RELEASE-p2 and IPFW 2. ___________________ Fredrik Bredeli. From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 14:34:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3393F16A4CE for ; Fri, 10 Sep 2004 14:34:39 +0000 (GMT) Received: from pearl.ibctech.ca (dev.eagle.ca [209.167.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7700F43D46 for ; Fri, 10 Sep 2004 14:34:38 +0000 (GMT) (envelope-from iaccounts@ibctech.ca) Received: (qmail 15875 invoked by uid 1002); 10 Sep 2004 14:36:49 -0000 Received: from iaccounts@ibctech.ca by pearl.ibctech.ca by uid 89 with qmail-scanner-1.22 (clamscan: 0.73. spamassassin: 2.64. Clear:RC:1(127.0.0.1):. Processed in 1.423286 secs); 10 Sep 2004 14:36:49 -0000 Received: from unknown (HELO webmail.ibctech.ca) (127.0.0.1) by localhost.ibctech.ca with SMTP; 10 Sep 2004 14:36:47 -0000 Received: from 209.167.16.15 (SquirrelMail authenticated user steve@ibctech.ca); by webmail.ibctech.ca with HTTP; Fri, 10 Sep 2004 10:36:47 -0400 (EDT) Message-ID: <1311.209.167.16.15.1094827007.squirrel@209.167.16.15> Date: Fri, 10 Sep 2004 10:36:47 -0400 (EDT) From: "Steve Bertrand" To: freebsd-ipfw@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Rule Sets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 14:34:39 -0000 I am adding new rules to a ruleset (2) in my firewall script. When I disable and then re-enable the set in question, the new rules do not get loaded. Is there a way to enable these newly added rules by having IPFW pick up the new rules from the set, without having to flush and reload, or add them manually? Tks. From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 18:40:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E4F616A4D1; Fri, 10 Sep 2004 18:40:20 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DEA743D5F; Fri, 10 Sep 2004 18:40:20 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id i8AIeQl7025772; Fri, 10 Sep 2004 11:40:26 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id i8AIeQig025771; Fri, 10 Sep 2004 11:40:26 -0700 Date: Fri, 10 Sep 2004 11:40:26 -0700 From: Brooks Davis To: Andre Oppermann Message-ID: <20040910184026.GA24220@odin.ac.hmc.edu> References: <20040903215137.GA26762@odin.ac.hmc.edu> <413B9CC5.21E7B776@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7JfCtLOvnd9MIVvH" Content-Disposition: inline In-Reply-To: <413B9CC5.21E7B776@freebsd.org> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: Brooks Davis cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 for IPV6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 18:40:20 -0000 --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 06, 2004 at 01:09:57AM +0200, Andre Oppermann wrote: > Brooks Davis wrote: > >=20 > > I'm working on updating the IPFW2 for IPv6 patch Luigi posted back in > > April. I've got it partially working with pfil, but I've run into some > > issues with linklocal addresses and dummynet6. Inbound rules work fine, > > but output rules do not because the route struct is not carried in to > > the pfil hook and thus the output interface is lost. >=20 > You are supposed to give the output interface as an argument to pfil_run_ > hooks(). Doesn't that sufficise? I've been thinking about this and I think the problme is that we need to pass the route in to ip6_output in the link local address case. I think we can generate it in dummynet (at least I hope we can), but I need to figure that out. I'm going to read some more code today and I've got the Design and Implementaiton book coming next week. At this point it's probably the best doc around since no one has updated TCP/IP Illustrated v2 yet (I'd love to see a new version based on FreeBSD 6). > I guess the best thing is to involve into this. > He's cutting his teeth on the IPv6 code and this is probably something > he can give some insights. I'm talking to him (rwatson noticed my branch and pointed him to it). > PS: What about ipfw6? Robert wants to kill it off so we don't have to lock it. As Luigi says, it's redundent once ipfw support IPv6. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --7JfCtLOvnd9MIVvH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBQfUaXY6L6fI4GtQRAmKXAJwI9Cq1BqTK0gf/Eklz12A9SS3WAACghA6p fXgvzmVZ80sXQeCCgnxX+SM= =LIcO -----END PGP SIGNATURE----- --7JfCtLOvnd9MIVvH-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 18:56:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CB1416A4CE for ; Fri, 10 Sep 2004 18:56:56 +0000 (GMT) Received: from mail.generalpostmaster.com (mail.generalpostmaster.com [216.104.145.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id E827743D3F for ; Fri, 10 Sep 2004 18:56:55 +0000 (GMT) (envelope-from freebsd@usww.com) Received: from usww.com (ppp135.max4.usbn.net [216.104.138.135]) i8AIxToT046958 for ; Fri, 10 Sep 2004 14:59:30 -0400 (EDT) (envelope-from freebsd@usww.com) X-HELO: |usww.com| X-ClientName: |ppp135.max4.usbn.net| X-ClientAddr: |216.104.138.135| X-To: || X-From: |freebsd@usww.com| X-infoX: |HELO:usww.com|ClientName:ppp135.max4.usbn.net|ClientAddr:216.104.138.135|Email:|From:USWW | X-info1: (HopCnt:0)(Cur-Ctime-Date:Fri Sep 10 14:59:30 2004)(Unk:) X-info2: (from:freebsd@usww.com)(Ret:freebsd@usww.com)(DestHost:freebsd.org.)(QueueID:i8AIxToT046958) X-info3: (Loc:mail.generalpostmaster.com)(Loc:mail.generalpostmaster.com)(Unk:)(FQDN:generalpostmaster.com)(MAILDA:MAILER-DAEMON)(Unk:) X-info4: (PID:46958)(Unk:)(Proto:ESMTP)(SendHost:usww.com)(Date:200409101859) X-info5: (To:)(Ver:8.12.8)(Host:mail)(FNamesender:USWW)(Unk::) X-info7: (CD:)(SndrAddr:ppp135.max4.usbn.net [216.104.138.135])(CD:)(CD:)(CD:) X-info8: (Bodyty:)(ClientAddr:216.104.138.135)(ClientName:ppp135.max4.usbn.net)(ClientPort:58121) X-info9: (Envid:)(DelivMode:q)(SendFlag:d) Message-ID: <4141F8E0.8060700@usww.com> Date: Fri, 10 Sep 2004 14:56:32 -0400 From: Ben Bentsen User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.0.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: kernel: ipfw: install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 18:56:56 -0000 Hello group, Can any shed a little light on the following error messages. I have spent a great deal of time looking at what is running at about 9:30am-9:45am and have found nothing that I can pin to these errors. No cron jobs are running anywhere even close to the time. TCPdump does not shed any light either. This machine has only one purpose to pass, count, limit and deny packets to a network Only SSH and FTP services are enabled on this machine. What conditions case this message maybe I am looking in the wrong place. INET ---- This Machine --- Catalyst 2820 ------ 14 computer units Aug 7 09:41:34 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 10 09:41:207206 /kernel: ipfw: install_state: Too many dynamic rules Aug 13 09:41:31 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 15 09:41:29 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 15 09:41:30 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 15 10:41:23 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 17 09:40:50 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 20 09:35:35 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 23 09:35:17 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 27 09:35:33 7206 /kernel: ipfw: install_state: Too many dynamic rules Aug 31 09:35:31 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 1 09:35:29 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 2 09:35:24 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 3 09:34:58 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 5 09:35:06 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 6 09:34:41 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 7 09:35:00 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 7 09:35:33 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 8 09:34:34 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 9 09:34:41 7206 /kernel: ipfw: install_state: Too many dynamic rules Sep 10 09:34:59 7206 /kernel: ipfw: install_state: Too many dynamic rules I am using FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE #0 with IPFW2 compiled in and all the IPV6 compiled out. The firewall is pretty generic: /etc/rc.local sysctl net.link.ether.bridge_cfg=rl0:0,rl1:0 sysctl net.link.ether.bridge_ipfw=1 sysctl net.link.ether.bridge=1 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 0 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 1 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 2 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 3 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 4 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 5 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 6 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 7 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 8 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 9 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 10 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 11 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 12 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 13 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 14 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 15 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 16 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 17 ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 18 ipfw -q add 00009 count log logamount 1000 icmp from any to any ipfw -q add 50 deny log logamount 10000 ip from any to any 135 ipfw -q add 50 deny log logamount 10000 ip from any to any 445 ipfw -q add 50 deny log logamount 10000 ip from any to any 139 ipfw -q add 00020 deny log logamount 10000 ip from any to any in frag ipfw -q add 00020 deny log logamount 10000 tcp from any to any in frag ipfw -q add 00020 deny log logamount 10000 udp from any to any in frag ipfw -q add 00020 deny log logamount 10000 icmp from any to any in frag for i in (Several Mac Addresses) do ipfw -q add 100 count mac $i 00:e0:a3:1f:f0:2b ipfw -q add 100 count mac 00:e0:a3:1f:f0:2b $i done ipfw -q add 150 pipe 1 tcp from 216.104.X.X 20,21,25,80,110 to any;ipfw pipe 1 config bw 450Kbit/s ipfw -q add 151 pipe 2 tcp from 216.104.X.X 554,4040,5050,6763,7070,8080 to any;ipfw pipe 2 config bw 384kbit/s ipfw -q add 200 check-state ipfw -q add 275 count all from any to any keep-state ipfw -q add 302 drop all from 172.16.0.0/12 to any in via rl0 ipfw -q add 304 drop all from 192.168.0.0/16 to any in via rl0 ipfw -q add 01150 deny log logamount 10000 ip from any to any in frag ipfw -q add 01150 deny log logamount 10000 tcp from any to any in frag ipfw -q add 01150 deny log logamount 10000 udp from any to any in frag ipfw -q add 01150 deny log logamount 10000 icmp from any to any in frag From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 19:20:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C044816A4F9 for ; Fri, 10 Sep 2004 19:20:30 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D402843D54 for ; Fri, 10 Sep 2004 19:20:29 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 64712 invoked from network); 10 Sep 2004 19:16:36 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 10 Sep 2004 19:16:36 -0000 Message-ID: <4141FE80.E044E6D1@freebsd.org> Date: Fri, 10 Sep 2004 21:20:32 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Brooks Davis References: <20040903215137.GA26762@odin.ac.hmc.edu> <413B9CC5.21E7B776@freebsd.org> <20040910184026.GA24220@odin.ac.hmc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw2 for IPV6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 19:20:30 -0000 Brooks Davis wrote: > > On Mon, Sep 06, 2004 at 01:09:57AM +0200, Andre Oppermann wrote: > > Brooks Davis wrote: > > > > > > I'm working on updating the IPFW2 for IPv6 patch Luigi posted back in > > > April. I've got it partially working with pfil, but I've run into some > > > issues with linklocal addresses and dummynet6. Inbound rules work fine, > > > but output rules do not because the route struct is not carried in to > > > the pfil hook and thus the output interface is lost. > > > > You are supposed to give the output interface as an argument to pfil_run_ > > hooks(). Doesn't that sufficise? > > I've been thinking about this and I think the problme is that we need > to pass the route in to ip6_output in the link local address case. I > think we can generate it in dummynet (at least I hope we can), but I > need to figure that out. I'm going to read some more code today and I've just killed any route knowledge from dummynet and it should stay that way. (Before it was a really nasty, but required, hack.) What you could do is to attach an mtag to the IPv6 packet containing the pointer to the rtentry you want to pass along with it. You need to write your own mtag-free routine for this one because if the mtag gets deleted the refcount on the rtentry *must* be decremented. If you don't do it through a specific mtag-free routing this won't be done for the cases where an m_freem is done. > I've got the Design and Implementaiton book coming next week. At this > point it's probably the best doc around since no one has updated TCP/IP > Illustrated v2 yet (I'd love to see a new version based on FreeBSD 6). There is nothing special regarding this in the book. I know, I've tech- reviewed the networking chapters. ;-) > > I guess the best thing is to involve into this. > > He's cutting his teeth on the IPv6 code and this is probably something > > he can give some insights. > > I'm talking to him (rwatson noticed my branch and pointed him to it). > > > PS: What about ipfw6? > > Robert wants to kill it off so we don't have to lock it. As Luigi says, > it's redundent once ipfw support IPv6. Ok, good. -- Andre From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 19:57:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2717416A4CE for ; Fri, 10 Sep 2004 19:57:48 +0000 (GMT) Received: from smtp-vbr9.xs4all.nl (smtp-vbr9.xs4all.nl [194.109.24.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1FB6143D45 for ; Fri, 10 Sep 2004 19:57:42 +0000 (GMT) (envelope-from bts@iae.nl) Received: from btsoftware.com (www.btsoftware.nl [213.84.82.9]) by smtp-vbr9.xs4all.nl (8.12.11/8.12.11) with SMTP id i8AJvetC006256 for ; Fri, 10 Sep 2004 21:57:41 +0200 (CEST) (envelope-from bts@iae.nl) Received: from viper.office (viper.office [192.168.0.1] ) by btsoftware.com (Hethmon Brothers Smtpd) ; Fri, 10 Sep 2004 21:57:34 +0200 Message-Id: <200409102157.3439103.6@btsoftware.com> From: "Martin" To: "Ben Bentsen" , "freebsd-ipfw@freebsd.org" Date: Fri, 10 Sep 2004 21:57:32 +0200 (CEST) Priority: Normal X-Mailer: PMMail 2.20.2382 for OS/2 Warp 4.5 In-Reply-To: <4141F8E0.8060700@usww.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Virus-Scanned: by XS4ALL Virus Scanner Subject: Re: kernel: ipfw: install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 19:57:48 -0000 Assume, the rule numbering in the email is a typo, only in this email and not in your actual rules. Personally, I would guard my keep-state rule a bit. This way, all incoming garbage is tried to be passed to somewhere, occupying a keep-state rule position, even if there's no real destination. Or so to say, if somebody bombs your system with garbage TCP connect attemps, your ipfw will go through its knees. My suggestion would be to have the keep-state rule limited to outgoing connections from your internal addresses. Martin. On Fri, 10 Sep 2004 14:56:32 -0400, Ben Bentsen wrote: >Hello group, > >Can any shed a little light on the following error messages. I have >spent a great deal of time looking at what is running at about >9:30am-9:45am and have found nothing that I can pin to these errors. No >cron jobs are running anywhere even close to the time. TCPdump does not >shed any light either. This machine has only one purpose to pass, count, >limit and deny packets to a network Only SSH and FTP services are >enabled on this machine. What conditions case this message maybe I am >looking in the wrong place. > >INET ---- This Machine --- Catalyst 2820 ------ 14 computer units > >Aug 7 09:41:34 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 10 09:41:207206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 13 09:41:31 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 15 09:41:29 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 15 09:41:30 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 15 10:41:23 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 17 09:40:50 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 20 09:35:35 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 23 09:35:17 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 27 09:35:33 7206 /kernel: ipfw: install_state: Too many dynamic rules >Aug 31 09:35:31 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 1 09:35:29 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 2 09:35:24 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 3 09:34:58 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 5 09:35:06 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 6 09:34:41 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 7 09:35:00 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 7 09:35:33 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 8 09:34:34 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 9 09:34:41 7206 /kernel: ipfw: install_state: Too many dynamic rules >Sep 10 09:34:59 7206 /kernel: ipfw: install_state: Too many dynamic rules > > >I am using FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE #0 with IPFW2 >compiled in and all the IPV6 compiled out. The firewall is pretty generic: > >/etc/rc.local >sysctl net.link.ether.bridge_cfg=rl0:0,rl1:0 >sysctl net.link.ether.bridge_ipfw=1 >sysctl net.link.ether.bridge=1 > >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 0 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 1 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 2 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 3 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 4 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 5 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 6 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 7 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 8 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 9 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 10 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 11 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 12 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 13 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 14 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 15 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 16 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 17 >ipfw -q add 00009 count log logamount 1000 icmp from any to any icmptypes 18 >ipfw -q add 00009 count log logamount 1000 icmp from any to any > >ipfw -q add 50 deny log logamount 10000 ip from any to any 135 >ipfw -q add 50 deny log logamount 10000 ip from any to any 445 >ipfw -q add 50 deny log logamount 10000 ip from any to any 139 > >ipfw -q add 00020 deny log logamount 10000 ip from any to any in frag >ipfw -q add 00020 deny log logamount 10000 tcp from any to any in frag >ipfw -q add 00020 deny log logamount 10000 udp from any to any in frag >ipfw -q add 00020 deny log logamount 10000 icmp from any to any in frag > >for i in (Several Mac Addresses) >do >ipfw -q add 100 count mac $i 00:e0:a3:1f:f0:2b >ipfw -q add 100 count mac 00:e0:a3:1f:f0:2b $i >done > >ipfw -q add 150 pipe 1 tcp from 216.104.X.X 20,21,25,80,110 to any;ipfw >pipe 1 config bw 450Kbit/s >ipfw -q add 151 pipe 2 tcp from 216.104.X.X 554,4040,5050,6763,7070,8080 >to any;ipfw pipe 2 config bw 384kbit/s > >ipfw -q add 200 check-state > >ipfw -q add 275 count all from any to any keep-state > >ipfw -q add 302 drop all from 172.16.0.0/12 to any in via rl0 >ipfw -q add 304 drop all from 192.168.0.0/16 to any in via rl0 > >ipfw -q add 01150 deny log logamount 10000 ip from any to any in frag >ipfw -q add 01150 deny log logamount 10000 tcp from any to any in frag >ipfw -q add 01150 deny log logamount 10000 udp from any to any in frag >ipfw -q add 01150 deny log logamount 10000 icmp from any to any in frag > > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 20:35:25 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8819F16A4CE for ; Fri, 10 Sep 2004 20:35:25 +0000 (GMT) Received: from mail.esoltani.com (baba.esoltani.com [67.120.127.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4628C43D64 for ; Fri, 10 Sep 2004 20:35:25 +0000 (GMT) (envelope-from patrick@esoltani.com) Received: from localhost (localhost [127.0.0.1]) by mail.esoltani.com (Postfix) with ESMTP id E6FBA8FC5F; Fri, 10 Sep 2004 13:35:24 -0700 (PDT) Received: from mail.esoltani.com ([127.0.0.1]) by localhost (baba.esoltani.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48157-07; Fri, 10 Sep 2004 13:35:21 -0700 (PDT) Received: from [192.168.1.123] (watcher.esoltani.com [192.168.1.123]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.esoltani.com (Postfix) with ESMTP id B95198FC1F; Fri, 10 Sep 2004 13:35:21 -0700 (PDT) Message-ID: <4141F3E1.3070906@esoltani.com> Date: Fri, 10 Sep 2004 13:35:13 -0500 From: Patrick User-Agent: Mozilla Thunderbird 0.7.3 (Windows/20040803) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ben Bentsen References: <4141F8E0.8060700@usww.com> In-Reply-To: <4141F8E0.8060700@usww.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at esoltani.com cc: freebsd-ipfw@freebsd.org Subject: Re: kernel: ipfw: install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 20:35:25 -0000 Ben Bentsen wrote: > Hello group, > > Can any shed a little light on the following error messages. I have > spent a great deal of time looking at what is running at about > 9:30am-9:45am and have found nothing that I can pin to these errors. No > cron jobs are running anywhere even close to the time. TCPdump does not > shed any light either. This machine has only one purpose to pass, count, > limit and deny packets to a network Only SSH and FTP services are > enabled on this machine. What conditions case this message maybe I am > looking in the wrong place. > > INET ---- This Machine --- Catalyst 2820 ------ 14 computer units > > Aug 7 09:41:34 7206 /kernel: ipfw: install_state: Too many dynamic rules > Aug 10 09:41:207206 /kernel: ipfw: install_state: Too many dynamic rules > Aug 13 09:41:31 7206 /kernel: ipfw: install_state: Too many dynamic rules You see these because you have most of your rules setup to utilize the keep-state stuff (stateful thingy). couple of things you can do: #sysctl -a | grep bucket net.inet.ip.fw.dyn_buckets: 256 which is default, at least on 5.2.1, should be the same on 4.x increasing this will require more memory, but should give *some* relief. make an explicit rule for outgoing packets. Regards, Patrick Soltani. From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 20:46:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C2C616A4CE for ; Fri, 10 Sep 2004 20:46:13 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86D5243D1D for ; Fri, 10 Sep 2004 20:46:11 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i8AKgb9F074732 for ; Fri, 10 Sep 2004 22:42:37 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i8AKgbdn074724; Fri, 10 Sep 2004 22:42:37 +0200 (CEST) (envelope-from tw@wsf.at) Date: Fri, 10 Sep 2004 20:42:37 -0000 To: Ben Bentsen , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040910224237.e7tduotip7ccgk@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: kernel: ipfw: install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 20:46:13 -0000 Ben Bentsen schrieb: > Hello group, > > Can any shed a little light on the following error messages. I have > spent a great deal of time looking at what is running at about > 9:30am-9:45am and have found nothing that I can pin to these errors. No > cron jobs are running anywhere even close to the time. TCPdump does not > shed any light either. This machine has only one purpose to pass, count, > limit and deny packets to a network Only SSH and FTP services are > enabled on this machine. What conditions case this message maybe I am > looking in the wrong place. > > INET ---- This Machine --- Catalyst 2820 ------ 14 computer units > > Aug 7 09:41:34 7206 /kernel: ipfw: install_state: Too many dynamic rules > Aug 10 09:41:207206 /kernel: ipfw: install_state: Too many dynamic rules [error messages snipped] [lot of rules without keep-state snipped] > > ipfw -q add 200 check-state > > ipfw -q add 275 count all from any to any keep-state keep-state on a 'count' - rule?? Never seen before. What is the purpose of this rule, besides filling up your dynamic rule table? ;-) Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 10 20:55:08 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1990516A4CE for ; Fri, 10 Sep 2004 20:55:08 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50BF343D60 for ; Fri, 10 Sep 2004 20:55:07 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i8AKpYO9074950 for ; Fri, 10 Sep 2004 22:51:34 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i8AKpXdn074942; Fri, 10 Sep 2004 22:51:34 +0200 (CEST) (envelope-from tw@wsf.at) Date: Fri, 10 Sep 2004 20:51:33 -0000 To: Steve Bertrand , freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040910225133.e7tgbdlt67sww4@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Rule Sets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Sep 2004 20:55:08 -0000 Steve Bertrand schrieb: > I am adding new rules to a ruleset (2) in my firewall script. > > When I disable and then re-enable the set in question, the new rules > do not get loaded. Is there a way to enable these newly added rules by > having IPFW pick up the new rules from the set, without having to > flush and reload, or add them manually? Hm, could you post the commands you are trying or at least the error messages you are getting? I just verified the following and it works fine: bsd52# ipfw add 1 set 2 count all from any to any 00001 count ip from any to any bsd52# ipfw -S show 1 00001 47 4012 set 2 count ip from any to any bsd52# ipfw set disable 2 bsd52# ipfw -S show 1 # DISABLED 00001 104 8944 set 2 count ip from any to any bsd52# ipfw set enable 2 bsd52# ipfw -S show 1 00001 114 9832 set 2 count ip from any to any bsd52# (This is on 5.2.1-RELEASE-p9, what do you have?) Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 11 03:53:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A33716A4CE for ; Sat, 11 Sep 2004 03:53:48 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00DF243D2D for ; Sat, 11 Sep 2004 03:53:48 +0000 (GMT) (envelope-from csjp@freebsd.org) Received: from freefall.freebsd.org (csjp@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i8B3rl4r072924 for ; Sat, 11 Sep 2004 03:53:47 GMT (envelope-from csjp@freebsd.org) Received: (from csjp@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8B3rlW2072923 for ipfw@freebsd.org; Sat, 11 Sep 2004 03:53:47 GMT (envelope-from csjp@freebsd.org) X-Authentication-Warning: freefall.freebsd.org: csjp set sender to csjp@freebsd.org using -f Date: Sat, 11 Sep 2004 03:53:47 +0000 From: "Christian S.J. Peron" To: ipfw@freebsd.org Message-ID: <20040911035347.GA72659@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: kern/63961 (partially) approval/review request X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Sep 2004 03:53:48 -0000 Currently when ipfw(8) generates the micro-instructions for rules which contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical operator bits get clobbered. Making it impossible to use the ``NOT'' or ``OR'' operators with uid, gid and jail based constraints. The ipfw_insn instruction template contains a ``len'' element which stores two pieces of information, the size of the instruction (in 32-bit words) in the low 6 bits of "len" with the 2 remaining bits to implement OR and NOT. The current code clobbers the OR and NOT bits by initializing the ``len'' element to the size, rather than OR'ing the bits. This change fixes this by changing the initialization of cmd->len to an OR operation for the O_UID, O_GID and O_JAIL opcodes. I think I have fixed this, anyone have a problem with me committing this: http://people.freebsd.org/~csjp/ipfw2.c.1094753841.diff -- Christian S.J. Peron csjp@FreeBSD.ORG FreeBSD Committer From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 11 12:20:55 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 966D216A4CE; Sat, 11 Sep 2004 12:20:55 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74C0643D53; Sat, 11 Sep 2004 12:20:55 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i8BCKtIb037118; Sat, 11 Sep 2004 05:20:55 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i8BCKt4S037117; Sat, 11 Sep 2004 05:20:55 -0700 (PDT) (envelope-from rizzo) Date: Sat, 11 Sep 2004 05:20:54 -0700 From: Luigi Rizzo To: "Christian S.J. Peron" Message-ID: <20040911052054.B37072@xorpc.icir.org> References: <20040911035347.GA72659@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040911035347.GA72659@freefall.freebsd.org>; from csjp@freebsd.org on Sat, Sep 11, 2004 at 03:53:47AM +0000 cc: ipfw@freebsd.org Subject: Re: kern/63961 (partially) approval/review request X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Sep 2004 12:20:55 -0000 sounds good to me. Please go ahead and commit to all relevant revisions I wonder about the cast at line 3330 cmd32->d[0] = (unsigned int)jid; given that d[] is an array of 32-bit things, maybe the correct cast should be to uint32_t cheers luigi On Sat, Sep 11, 2004 at 03:53:47AM +0000, Christian S.J. Peron wrote: > Currently when ipfw(8) generates the micro-instructions for rules which > contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical > operator bits get clobbered. Making it impossible to use the ``NOT'' or > ``OR'' operators with uid, gid and jail based constraints. > > The ipfw_insn instruction template contains a ``len'' element which > stores two pieces of information, the size of the instruction > (in 32-bit words) in the low 6 bits of "len" with the 2 remaining > bits to implement OR and NOT. > > The current code clobbers the OR and NOT bits by initializing the > ``len'' element to the size, rather than OR'ing the bits. This > change fixes this by changing the initialization of cmd->len > to an OR operation for the O_UID, O_GID and O_JAIL opcodes. > > I think I have fixed this, anyone have a problem with me > committing this: > > http://people.freebsd.org/~csjp/ipfw2.c.1094753841.diff > > -- > Christian S.J. Peron > csjp@FreeBSD.ORG > FreeBSD Committer > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 11 23:24:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAD0E16A4CE; Sat, 11 Sep 2004 23:24:43 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAFD243D5A; Sat, 11 Sep 2004 23:24:43 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) i8BNOhC5063601; Sat, 11 Sep 2004 23:24:43 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8BNOhVA063597; Sat, 11 Sep 2004 23:24:43 GMT (envelope-from linimon) Date: Sat, 11 Sep 2004 23:24:43 GMT From: Mark Linimon Message-Id: <200409112324.i8BNOhVA063597@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/71366: "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Sep 2004 23:24:44 -0000 Synopsis: "ipfw fwd" sometimes rewrites destination mac address when it's not necessary (packet must not meet the rule) Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sat Sep 11 23:24:30 GMT 2004 Responsible-Changed-Why: Over to mailing list. http://www.freebsd.org/cgi/query-pr.cgi?pr=71366