From owner-freebsd-net Mon Dec 24 11:53:52 2001 Delivered-To: freebsd-net@freebsd.org Received: from comp.chem.msu.su (comp-ext.chem.msu.su [158.250.32.157]) by hub.freebsd.org (Postfix) with ESMTP id B33F337B41A; Mon, 24 Dec 2001 11:53:46 -0800 (PST) Received: (from yar@localhost) by comp.chem.msu.su (8.11.1/8.11.1) id fBOJrhH07686; Mon, 24 Dec 2001 22:53:44 +0300 (MSK) (envelope-from yar) Date: Mon, 24 Dec 2001 22:53:43 +0300 From: Yar Tikhiy To: Maxim Konovalov Cc: net@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: Processing IP options reveals IPSTEALH router Message-ID: <20011224225343.A5819@comp.chem.msu.su> References: <20011221185118.B25868@comp.chem.msu.su> <20011223022614.U18529-100000@news1.macomnet.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011223022614.U18529-100000@news1.macomnet.ru>; from maxim@macomnet.ru on Sun, Dec 23, 2001 at 02:29:14AM +0300 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Dec 23, 2001 at 02:29:14AM +0300, Maxim Konovalov wrote: > > On 18:51+0300, Dec 21, 2001, Yar Tikhiy wrote: > > > I made a patch that adds the "stealthy IP options feature". > > Honestly, now I'm afraid it's "much ado about nothing", given how > > clumsy solution is needed for such a small problem. Even the way > > of ignoring IP options completely when doing IPSTEALTH looks way > > better... > > IMHO it is not a good idea to forward a packet with possible incorrect > ip options. Forwarding a packet without decreasing its TTL may be even worse idea :-) We're breaking the standard with IPSTEALTH anyway, so to my mind the best idea is to avoid spoiling the system code too much. > The patch looks OK for me. All right, if anyone else feels committing that patch of mine is OK and tells that to me, I'll commit it. -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Mon Dec 24 19:25:26 2001 Delivered-To: freebsd-net@freebsd.org Received: from mars-gw.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 979E637B405; Mon, 24 Dec 2001 19:25:20 -0800 (PST) Received: from NDNM ([195.161.98.250]) by mars-gw.morning.ru (8.11.5/8.11.5) with ESMTP id fBP3PI710679; Tue, 25 Dec 2001 10:25:19 +0700 (KRAT) Date: Tue, 25 Dec 2001 10:26:46 +0700 From: Igor M Podlesny X-Mailer: The Bat! (v1.53d) Business Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <121521816522.20011225102646@morning.ru> To: Yar Tikhiy Cc: Maxim Konovalov , net@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re[2]: Processing IP options reveals IPSTEALH router In-Reply-To: <20011224225343.A5819@comp.chem.msu.su> References: <20011221185118.B25868@comp.chem.msu.su> <20011223022614.U18529-100000@news1.macomnet.ru> <20011224225343.A5819@comp.chem.msu.su> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Sun, Dec 23, 2001 at 02:29:14AM +0300, Maxim Konovalov wrote: >> >> On 18:51+0300, Dec 21, 2001, Yar Tikhiy wrote: >> >> > I made a patch that adds the "stealthy IP options feature". >> > Honestly, now I'm afraid it's "much ado about nothing", given how >> > clumsy solution is needed for such a small problem. Even the way >> > of ignoring IP options completely when doing IPSTEALTH looks way >> > better... >> >> IMHO it is not a good idea to forward a packet with possible incorrect >> ip options. > Forwarding a packet without decreasing its TTL may be even worse idea :-) yeah. Two routers with IPSTEALTH and wrong routing (when A-box sends a datagram to B-box and the B-box uses the default route to A-box for it) will effectively eat up the channel between them... And this is quite easy to set up... > We're breaking the standard with IPSTEALTH anyway, so to my mind the > best idea is to avoid spoiling the system code too much. >> The patch looks OK for me. > All right, if anyone else feels committing that patch of mine is > OK and tells that to me, I'll commit it. -- Igor M Podlesny a.k.a. Poige http://www.morning.ru/~poige To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Tue Dec 25 1:47:55 2001 Delivered-To: freebsd-net@freebsd.org Received: from acura.isprime.com (acura.isprime.com [130.94.138.66]) by hub.freebsd.org (Postfix) with ESMTP id 9D8F237B416 for ; Tue, 25 Dec 2001 01:47:53 -0800 (PST) Received: from winter (localhost [127.0.0.1]) by acura.isprime.com (8.11.3/8.11.2) with SMTP id fBP9lqD03020 for ; Tue, 25 Dec 2001 04:47:53 -0500 (EST) Message-ID: <000501c18d28$ee403c80$4300a8c0@winter> From: "Phil Rosenthal" To: Subject: FXP Bundling on a STL2 Date: Tue, 25 Dec 2001 04:45:47 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "Phil Rosenthal" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I noticed that the FXP built in to my STL2 motherboards seem to get have no difference on 4.5-PRERELEASE wether bundling is on or off, but an external FXP PCI card does begin to have a difference when receiving ~1000 pps (about half the interrupts). Does the STL2 FXP not support bundling? --Phil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 4:14: 3 2001 Delivered-To: freebsd-net@freebsd.org Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.24.11]) by hub.freebsd.org (Postfix) with ESMTP id 7542937B417 for ; Wed, 26 Dec 2001 04:13:57 -0800 (PST) Received: from mira-sjc5-2.cisco.com (mira-sjc5-2.cisco.com [171.71.163.16]) by sj-msg-core-2.cisco.com (8.11.3/8.9.1) with ESMTP id fBQCDg121752; Wed, 26 Dec 2001 04:13:42 -0800 (PST) Received: from stewart.chicago.il.us (ssh-sj1.cisco.com [171.68.225.134]) by mira-sjc5-2.cisco.com (Mirapoint) with ESMTP id AAP40696; Wed, 26 Dec 2001 04:13:39 -0800 (PST) Message-ID: <3C29BEF3.611BCAFE@stewart.chicago.il.us> Date: Wed, 26 Dec 2001 06:13:40 -0600 From: Randall Stewart X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Bosko Milekic Cc: net@FreeBSD.ORG Subject: Re: m_reclaim and a protocol drain References: <3C235866.B063CC7B@stewart.chicago.il.us> <20011221134307.A69233@technokratis.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bosko: Sorry for the delayed response... some comments below.. Bosko Milekic wrote: > > On Fri, Dec 21, 2001 at 09:42:30AM -0600, Randall Stewart wrote: > > Hi all: > > > > I have a question. I have been working to test the new > > sctp_drain function I am adding and have had a very difficult > > time getting the drain function to be called by the mbuf system... > > > > Now here is what I most observe from some of the test cases > > I am building: > > > > A) All inbound packets get a cluster down in the driver routine. > > B) There is a much smaller limit to clusters > > C) The cluster allocation routine will NOT call reclaim() et.al. > > This has changed in -CURRENT and it should be easy to change -STABLE > to do the same. -CURRENT now drains the protocols in the cluster > starvation case too. > > > D) Of course since the lower drivers are allocating M_DONTWAIT > > even if they did I would not get the routine called. > > > > Now this brings to light a weakness in my mind on the reclaim > > system. > > > > 1) One of the primary things I thought the drain() functions > > help with is to ward off DOS attacks. > > Well, no, not really. They're just there to `help' out in any > starvation case, really. > This comment facinates me. The reason we made SACK's in SCTP revokeable is due to the potential DOS attack that someone can supposedly lauch if you don't allow the stack to revoke. I can actually see the reason that Sally made the comments and had us change it so that SACK's are revokeable. However you argue to the contrary and I wonder which is correct. If you do not allow revoking it is the same as if a protocol does not hold a drain() fucntion. A attacker could easily stuff a lot of out-of-order segments at you and thus fill up all your mbuf's or clusters (in my current testing case). This would then yeild a DOS since you could no longer receive any segments and leave you high and dry.... > > 2) If drivers all use clusters only and clusters can never > > call a drain() function, does this not leave both TCP and > > SCTP weak against an attack on the cluster side of the MBUF > > system? > > Well, firstly, all clusters are accompanied by mbufs. Secondly, as > mentionned above, -CURRENT drains in both cases. > Hmm.. I will look at updating this... > > 3) I can see if we are out of mbufs eventually something sending > > down will do a mget(..) with a M_WAIT which can spawn the drains > > should we not have something like this for a cluster allocation?? > > There's no way we can have M_DONTWAIT allocations possibly drain the > protocols. It would be way too much time for an M_DONTWAIT allocation, > especially in light of where we may be going with this in the future > (i.e. processing some packets from interrupt context - perhaps). > > What I think you should do in your code is make the calls with > M_TRYWAIT (what you call M_WAIT) wherever they are possible and only > call with M_DONTWAIT where it's really not possible to wait. The > M_TRYWAIT flag does not imply "run slower than M_DONTWAIT," it just > means "try harder even if it takes a little longer, since we are able to > block." > A couple of comments here: a) There is NO M_TRYWAIT in the 4.3 strain I am working on.. I am about to upgrade to 4.4. so maybe it will appear there :> b) It is NOT my code that I am talking about. The issue is I am stuffing a LOT of out-of-order segments up the SCTP stack to get the drain() function called (so I can test it). Nothing ever calls the drain function and instead we lose packets at input since the drivers in the ethernet side of things (as you mention) do a M_DONTWAIT. My code uses M_WAIT wherever it can... Hmm, maybe thats it... I need to somehow activate a condition where I send a large segment and do a M_WAIT... Probably easier to build a test ioctl to call the drain function though.. R > > If we don't it seems to me the utility of the drain() fucnction is > > very very limited.. > > > > Regards > > > > R > > > > -- > > Randall R. Stewart > > randall@stewart.chicago.il.us 815-342-5222 (cell phone) > > -- > Bosko Milekic > bmilekic@FreeBSD.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- Randall R. Stewart randall@stewart.chicago.il.us 815-342-5222 (cell phone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 5:47:55 2001 Delivered-To: freebsd-net@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 368A137B41E; Wed, 26 Dec 2001 05:47:46 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.3/8.11.1) id fBQDgrl62416; Wed, 26 Dec 2001 05:42:53 -0800 (PST) (envelope-from rizzo) Date: Wed, 26 Dec 2001 05:42:53 -0800 From: Luigi Rizzo To: "Robert D. Hughes" Cc: Yusuf Goolamabbas , freebsd-net@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG, cez@pkl.net Subject: Re: 4.4-stable kernel panic with dummynet/bridging. Same rules work fine with 4.3-RC Message-ID: <20011226054253.A62387@iguana.aciri.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.23i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have found the bug, it's a one-line change in netinet/if_ether.c @@ -574,5 +574,4 @@ in_arpinput(m) m_freem(m); return; } - ia = ifatoia(ifa); match: I am waiting for re@ to approve the commit. The code in -current is already fixed. cheers luigi On Thu, Dec 20, 2001 at 08:27:58AM -0600, Robert D. Hughes wrote: > Hmmmm.... I thought it was just me, and I hadn't had a chance yet to go > digging. I just enabled OPTIONS = BRIDGE in the kernel and I was getting > spontaneous reboots, but they pointed to NATD blowing up. Essentially > the same error though. Removing OPTIONS = BRIDGE seems to have stopped > the reboots. This is on the 4.4-STABLE tree and has been going on for at > least a couple of weeks. > > Rob > > -----Original Message----- > From: Yusuf Goolamabbas [mailto:yusufg@outblaze.com] > Sent: Thursday, December 20, 2001 5:16 AM > To: freebsd-net@freebsd.org; freebsd-stable@freebsd.org > Cc: cez@pkl.net > Subject: 4.4-stable kernel panic with dummynet/bridging. Same rules work > fine with 4.3-RC > > > Hi, Similar to what Ceri describes in this message > > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=508422+0+current/freebsd-st > able > > I have observed a 4.4-stable box panicing whenever bridging is turned > on. This was cvsup'ed today morning. I have other boxes cvsup'ed at > the same time except that they don't have dummynet/bridging configured > in them and they work pretty well > > I replaced the box with an another 4.3-RC box and the same rules > enclosed here work just fine > > ${fwcmd} add 100 pass all from any to any via lo0 > ${fwcmd} add 200 deny all from any to 127.0.0.0/8 > ${fwcmd} add 300 deny ip from 127.0.0.0/8 to any > # If you're using 'options BRIDGE', uncomment the following line to pass > ARP > ${fwcmd} add 400 pass udp from 0.0.0.0 2054 to 0.0.0.0 > ${fwcmd} add 500 pass all from to any in via fxp0 > ${fwcmd} add 800 pipe 1 ip from to any in via fxp1 > ${fwcmd} pipe 1 config mask src-ip 0x000000ff bw 512Kbit/s queue 50 > > Basically, fxp1 is connected to a switch and every machine on that > switch is rate limited to 512Kbit/s individually > > I had configured the box with DDB but didn't have serial console so I > transcribed everything at the db> prompt > > Fatal trap 12: page fault while in kernel mode > fault virtual address = 0xa4 > fault code = superviser read, page not present > instruction pointer = 0x8:0xc0199164 > strack pointer = 0x10:0xc9889b5c > frame pointer = 0x10:0xc9889bac > code segment = base 0x0, limit 0xfff type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 55 (sh) > interrupt mask = > kernel: type 12 trap, code = 0 > stopped at in_arpinput+0x158; movl 0xa4(%eax,%eax) > > db> t > in_arpinput(c077cb00,0,c989cac,c020d625,c020d5df) at in_arpinput+0x158 > arpintr(c020dfdf,0,c02800,0,c7640010,c0e700,0) at arpintr+0x112 > swi_net_next(c028c26c,c764f000,3,0,c835c440) at swi_net_next > trap_pfault(c9889d20,0,c764f000,0,806c591) at trap_pfault+0xbe > trap(10,c9880010,c01d0010,c764f000,80be591_ at trap+0x31f > calltrap() at calltrap+0x11 > trap 0xc : eip - 0xc02172cf , esp - 0xc9889d60, ebp - 0xc9889d88 > copyinstr(c9889e68,0,0,c9889f80,c9889f80) at copyinstr+0x37 > exec_elf_imagact(c9889e68,c835c440,3,c9889f80,c9889e68) at > exec_elf_imagact+0xba > execve(c835c440,c9889f80,80be5d4,0,80be590) at execve+0x26c > syscall2(2f,2f,2f,80be590,0) at syscall2+0x1a5 > Xinit0x80_syscall() + Xint-x80_syscall+0x25 > > Hope this helps > > Regards, Yusuf > > -- > Yusuf Goolamabbas > yusufg@outblaze.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 11: 8:10 2001 Delivered-To: freebsd-net@freebsd.org Received: from ardbeg.meer.net (ardbeg.meer.net [209.157.152.23]) by hub.freebsd.org (Postfix) with ESMTP id 59D1B37B405 for ; Wed, 26 Dec 2001 11:08:08 -0800 (PST) Received: from meer.meer.net (mail.meer.net [209.157.152.14]) by ardbeg.meer.net (8.11.3/8.11.3) with ESMTP id fBQJ88D81105 for ; Wed, 26 Dec 2001 11:08:08 -0800 (PST) Received: from neville-neil.com ([209.157.133.226]) by meer.meer.net (8.9.3/8.9.3/meer) with ESMTP id LAA1105100 for ; Wed, 26 Dec 2001 11:07:48 -0800 (PST) Message-Id: <200112261907.LAA1105100@meer.meer.net> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: freebsd-net@freebsd.org Subject: FreeBSD TCP/IP relation to Mac OS/X? Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 26 Dec 2001 11:07:48 -0800 From: "George V. Neville-Neil" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Folks, Just checking out some developer info on OS/X and I came upon this interesting quote: For kernel developers, Darwin provides the Network Kernel Extension (NKE) facility. This allows developers to create networking modules and even entire protocol stacks that can be dynamically loaded and unloaded. NKEs also make it possible to configure protocol stacks automatically and easily monitor and modify network traffic. At the data-link and network layers, they can also receive notifications of asynchronous events from device drivers. Can anyone comment on the progeny of the TCP/IP stack in Mac OS/X? Did they do a rewrite or just tweaks? Granted this may all be market speak but if it's true it would indicate some significant changes. Thanks, George -- George V. Neville-Neil gnn@neville-neil.com NIC:GN82 "Those who would trade liberty for temporary security deserve neither" - Benjamin Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 11:23:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 224E737B405 for ; Wed, 26 Dec 2001 11:23:26 -0800 (PST) Received: from grinch ([12.234.217.52]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011226192325.GCYA6185.rwcrmhc51.attbi.com@grinch> for ; Wed, 26 Dec 2001 19:23:25 +0000 Date: Wed, 26 Dec 2001 11:23:25 -0800 Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v475) From: Justin C.Walker To: freebsd-net@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <200112261907.LAA1105100@meer.meer.net> Message-Id: <08571164-FA36-11D5-B98A-00306544D642@mac.com> X-Mailer: Apple Mail (2.475) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I can comment from the Mac OS X perspective... On Wednesday, December 26, 2001, at 11:07 , George V. Neville-Neil wrote: > Hi Folks, > > Just checking out some developer info on OS/X and I came upon this > interesting quote: [snip] > Can anyone comment on the progeny of the TCP/IP stack in Mac OS/X? > Did they do a rewrite or just tweaks? Granted this may all be market > speak > but if > it's true it would indicate some significant changes. The TCP/IP stack in Mac OS X/Darwin is essentially the stack from FreeBSD 3.2. There have been almost no changes in this area to accomodate NKE operation. The only one of note that I recall now is a change to the "ip_protox" mechanism. In Mac OS X, it's an array of pointers to protosw's, rather than small integers. This seemed to me to be a fairly simple way to allow the addition of new protocol handlers. We did make some changes in the socket layer to support NKEs, but the major changes to networking are in the "data link interface" part of the system. A major goal of the development of Mac OS X was to enable developers to add to the system without requiring kernel builds, or in particular, major effort on the part of customers to get things to work well. The BSD data link area is mostly confined to "if_ethersubr.c" and friends, and this stuff has been completely revamped. We factored out the notions of de-muxing, address resolution, and framing, to allow developers to introduce support for new device types without having to provide new kernels to customers. In addition, we have provided hooks to permit "filter" modules to be inserted in the packet flow between protocol stacks and devices. There's more info floating around on the darwin lists, and in the darwin repository. Regards, Justin -- Justin C. Walker, Curmudgeon-At-Large * Institute for General Semantics | If you're not confused, | You're not paying attention *--------------------------------------*-------------------------------* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 11:28: 9 2001 Delivered-To: freebsd-net@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id ACB6737B416 for ; Wed, 26 Dec 2001 11:28:06 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id fBQJRrT54281; Wed, 26 Dec 2001 14:27:53 -0500 (EST) (envelope-from bv) Date: Wed, 26 Dec 2001 14:27:53 -0500 From: Bill Vermillion To: "George V. Neville-Neil" Cc: freebsd-net@FreeBSD.ORG Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? Message-ID: <20011226142753.A54259@wjv.com> Reply-To: bv@wjv.com References: <200112261907.LAA1105100@meer.meer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200112261907.LAA1105100@meer.meer.net>; from gnn@neville-neil.com on Wed, Dec 26, 2001 at 11:07:48AM -0800 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Dec 26, 2001 at 11:07:48AM -0800, George V. Neville-Neil thus spoke: > Just checking out some developer info on OS/X and I came upon this > interesting quote: > For kernel developers, Darwin provides the Network Kernel > Extension (NKE) facility. This allows developers to create > networking modules and even entire protocol stacks that can be > dynamically loaded and unloaded. NKEs also make it possible to > configure protocol stacks automatically and easily monitor and > modify network traffic. At the data-link and network layers, they > can also receive notifications of asynchronous events from device > drivers. > Can anyone comment on the progeny of the TCP/IP stack in Mac > OS/X? Did they do a rewrite or just tweaks? Granted this may > all be market speak but if it's true it would indicate some > significant changes. I can't say one way or the other but in the past couple of weeks someone from Apple posted some fixes to the FreeBSD specifically in the TCP/IP area so I'm assuming it's the BSD stack. Otherwise the fixes would be going the other way. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 11:38:12 2001 Delivered-To: freebsd-net@freebsd.org Received: from ardbeg.meer.net (ardbeg.meer.net [209.157.152.23]) by hub.freebsd.org (Postfix) with ESMTP id D0CD537B416 for ; Wed, 26 Dec 2001 11:38:08 -0800 (PST) Received: from meer.meer.net (mail.meer.net [209.157.152.14]) by ardbeg.meer.net (8.11.3/8.11.3) with ESMTP id fBQJc8D86692; Wed, 26 Dec 2001 11:38:08 -0800 (PST) Received: from neville-neil.com ([209.157.133.226]) by meer.meer.net (8.9.3/8.9.3/meer) with ESMTP id LAA1103901; Wed, 26 Dec 2001 11:37:37 -0800 (PST) Message-Id: <200112261937.LAA1103901@meer.meer.net> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Justin C.Walker" Cc: freebsd-net@FreeBSD.ORG Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? In-Reply-To: Message from "Justin C.Walker" of "Wed, 26 Dec 2001 11:23:25 PST." <08571164-FA36-11D5-B98A-00306544D642@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 26 Dec 2001 11:37:36 -0800 From: "George V. Neville-Neil" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I can comment from the Mac OS X perspective... Thanks! And one last question: Did these changes make it back into FreeBSD? Later, George -- George V. Neville-Neil gnn@neville-neil.com NIC:GN82 "Those who would trade liberty for temporary security deserve neither" - Benjamin Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 11:46: 8 2001 Delivered-To: freebsd-net@freebsd.org Received: from niwun.pair.com (niwun.pair.com [209.68.2.70]) by hub.freebsd.org (Postfix) with SMTP id EE43F37B41B for ; Wed, 26 Dec 2001 11:45:59 -0800 (PST) Received: (qmail 90823 invoked by uid 3193); 26 Dec 2001 19:45:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Dec 2001 19:45:59 -0000 Date: Wed, 26 Dec 2001 14:45:59 -0500 (EST) From: Mike Silbersack X-Sender: To: Bill Vermillion Cc: "George V. Neville-Neil" , Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? In-Reply-To: <20011226142753.A54259@wjv.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Dec 2001, Bill Vermillion wrote: > I can't say one way or the other but in the past couple of weeks > someone from Apple posted some fixes to the FreeBSD specifically in > the TCP/IP area so I'm assuming it's the BSD stack. Otherwise the > fixes would be going the other way. I think that you're confusing issues. Apple released a file system test program which helped Matt Dillon to find and fix a bunch of NFS / UFS / VM bugs, and Matt also fixed some TCP bugs, but there is no direct relation between Apple and the TCP changes. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 11:48:25 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 25CDD37B416 for ; Wed, 26 Dec 2001 11:48:20 -0800 (PST) Received: from grinch ([12.234.217.52]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011226194818.BIJK6450.rwcrmhc52.attbi.com@grinch> for ; Wed, 26 Dec 2001 19:48:18 +0000 Date: Wed, 26 Dec 2001 11:48:17 -0800 Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v475) From: Justin C.Walker To: freebsd-net@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <200112261937.LAA1103901@meer.meer.net> Message-Id: <8212884A-FA39-11D5-B98A-00306544D642@mac.com> X-Mailer: Apple Mail (2.475) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, December 26, 2001, at 11:37 , George V. Neville-Neil wrote: >> I can comment from the Mac OS X perspective... > > Thanks! > > And one last question: > > Did these changes make it back into FreeBSD? The short answer is 'no'. The longer answer is that noone has had the time or interest to do this. Now that I'm (hrm) between engagements, I may have some free time to take a look at it, but as I indicated, the media layer changes are significant. A lot of what is in FreeBSD now has not been ported to Darwin (dummynet, ...), so it's a fair amount of work. Unless there is a strong interest in it, the best that could happen, I think, is that it sits in the ports section, gathering dust... Regards, Justin -- /~\ The ASCII Justin C. Walker, Curmudgeon-at-Large \ / Ribbon Campaign X Against HTML / \ Email To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 11:56:10 2001 Delivered-To: freebsd-net@freebsd.org Received: from ardbeg.meer.net (ardbeg.meer.net [209.157.152.23]) by hub.freebsd.org (Postfix) with ESMTP id CB77737B405 for ; Wed, 26 Dec 2001 11:56:07 -0800 (PST) Received: from meer.meer.net (mail.meer.net [209.157.152.14]) by ardbeg.meer.net (8.11.3/8.11.3) with ESMTP id fBQJu7D90370; Wed, 26 Dec 2001 11:56:07 -0800 (PST) Received: from neville-neil.com ([209.157.133.226]) by meer.meer.net (8.9.3/8.9.3/meer) with ESMTP id LAA1088077; Wed, 26 Dec 2001 11:55:09 -0800 (PST) Message-Id: <200112261955.LAA1088077@meer.meer.net> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Justin C.Walker" Cc: freebsd-net@FreeBSD.ORG Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? In-Reply-To: Message from "Justin C.Walker" of "Wed, 26 Dec 2001 11:48:17 PST." <8212884A-FA39-11D5-B98A-00306544D642@mac.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 26 Dec 2001 11:55:09 -0800 From: "George V. Neville-Neil" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The short answer is 'no'. > Thanks, George -- George V. Neville-Neil gnn@neville-neil.com NIC:GN82 "Those who would trade liberty for temporary security deserve neither" - Benjamin Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 12: 6:40 2001 Delivered-To: freebsd-net@freebsd.org Received: from winston.freebsd.org (adsl-64-173-15-98.dsl.sntc01.pacbell.net [64.173.15.98]) by hub.freebsd.org (Postfix) with ESMTP id CCC8437B405 for ; Wed, 26 Dec 2001 12:06:34 -0800 (PST) Received: from winston.freebsd.org (jkh@localhost [127.0.0.1]) by winston.freebsd.org (8.11.6/8.11.6) with ESMTP id fBQK5aG45234; Wed, 26 Dec 2001 12:05:36 -0800 (PST) (envelope-from jkh@winston.freebsd.org) To: "George V. Neville-Neil" Cc: "Justin C.Walker" , freebsd-net@FreeBSD.ORG Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? In-Reply-To: Message from "George V. Neville-Neil" of "Wed, 26 Dec 2001 11:37:36 PST." <200112261937.LAA1103901@meer.meer.net> Date: Wed, 26 Dec 2001 12:05:36 -0800 Message-ID: <45230.1009397136@winston.freebsd.org> From: Jordan Hubbard Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Did these changes make it back into FreeBSD? I'm sure that Justin's too nice a guy to say that the above question is just about meaningless in any real-world context, so I'll jump in and cuff you upside the head instead. :) What Justin's describing is truly significant set of changes here, and even though those changes are freely available as part of the Darwin CVS repository and have been for some time, it's the FreeBSD project really gating whether "these changes make it back." Justin's the wrong guy to ask if you're sincerely interested in determining the answer to that question. Maybe a better preliminary question would be "has anyone discussed bringing these changes back to FreeBSD?" Hearing the answer to that, which happens to be "No", you'd then quickly realize that there's at least 90 days of discussion in-arch ahead before the second question becomes even relevant. If you'd like to start the clock on that, cite the relevent bits of Justin's posting and frame a question in -arch as to whether people would support or resist the adoption of Apple's NKE framework and related changes. Good luck. :) - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 12: 9:52 2001 Delivered-To: freebsd-net@freebsd.org Received: from technokratis.com (modemcable099.144-201-24.mtl.mc.videotron.ca [24.201.144.99]) by hub.freebsd.org (Postfix) with ESMTP id B52E637B417 for ; Wed, 26 Dec 2001 12:09:39 -0800 (PST) Received: (from bmilekic@localhost) by technokratis.com (8.11.4/8.11.3) id fBQKDjs19373; Wed, 26 Dec 2001 15:13:45 -0500 (EST) (envelope-from bmilekic) Date: Wed, 26 Dec 2001 15:13:45 -0500 From: Bosko Milekic To: Randall Stewart Cc: net@FreeBSD.ORG Subject: Re: m_reclaim and a protocol drain Message-ID: <20011226151345.A19259@technokratis.com> References: <3C235866.B063CC7B@stewart.chicago.il.us> <20011221134307.A69233@technokratis.com> <3C29BEF3.611BCAFE@stewart.chicago.il.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C29BEF3.611BCAFE@stewart.chicago.il.us>; from randall@stewart.chicago.il.us on Wed, Dec 26, 2001 at 06:13:40AM -0600 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Dec 26, 2001 at 06:13:40AM -0600, Randall Stewart wrote: > > > 1) One of the primary things I thought the drain() functions > > > help with is to ward off DOS attacks. > > > > Well, no, not really. They're just there to `help' out in any > > starvation case, really. > > > > This comment facinates me. The reason we made SACK's in SCTP > revokeable is due to the potential DOS attack that someone > can supposedly lauch if you don't allow the stack to revoke. > > I can actually see the reason that Sally made the comments > and had us change it so that SACK's are revokeable. However > you argue to the contrary and I wonder which is correct. > > If you do not allow revoking it is the same as if a protocol > does not hold a drain() fucntion. A attacker could easily > stuff a lot of out-of-order segments at you and thus > fill up all your mbuf's or clusters (in my current testing > case). This would then yeild a DOS since you could no longer > receive any segments and leave you high and dry.... I agree that it is important to drain. I didn't say that it wasn't, but merely that the drain routine in the mbuf code exists to `help out' in the starvation case. Nothing prevents one from calling a specific protocol drain routine explicitly from elsewhere. It is relatively expensive to drain all the protocols for a M_DONTWAIT caller so perhaps if the protocol expects draining to occur in tight situations, we can have the drain routines called from a different context as well (i.e. not only when mbuf allocations fail but also when, for example, something noteworthy occurs in the protocol code). > > > 2) If drivers all use clusters only and clusters can never > > > call a drain() function, does this not leave both TCP and > > > SCTP weak against an attack on the cluster side of the MBUF > > > system? > > > > Well, firstly, all clusters are accompanied by mbufs. Secondly, as > > mentionned above, -CURRENT drains in both cases. > > > > Hmm.. I will look at updating this... That would be very much appreciated. :-) I feel very bad for not doing this myself because I seem to not be tracking -STABLE much these days. But this is totally my fault and if you don't pick it up, feel free to submit a PR and I swear I will force myself to do it. :-) > > What I think you should do in your code is make the calls with > > M_TRYWAIT (what you call M_WAIT) wherever they are possible and only > > call with M_DONTWAIT where it's really not possible to wait. The > > M_TRYWAIT flag does not imply "run slower than M_DONTWAIT," it just > > means "try harder even if it takes a little longer, since we are able to > > block." > > > > A couple of comments here: > > a) There is NO M_TRYWAIT in the 4.3 strain I am working on.. I am > about to upgrade to 4.4. so maybe it will appear there :> Ah, no there is not. But M_TRYWAIT == better name given in -CURRENT to M_WAIT. Basically, they're the same flag and have the same effect, but the name M_TRYWAIT is more descriptive and thus used in -CURRENT (it means "try harder and wait if necessary, but not necessarily forever"). > b) It is NOT my code that I am talking about. The issue is I am > stuffing a LOT of out-of-order segments up the SCTP stack to > get the drain() function called (so I can test it). Nothing > ever calls the drain function and instead we lose packets at > input since the drivers in the ethernet side of things (as you > mention) do a M_DONTWAIT. My code uses M_WAIT wherever it can... > > > Hmm, maybe thats it... I need to somehow activate a condition where > I send a large segment and do a M_WAIT... Probably easier to build > a test ioctl to call the drain function though.. Hm. Well, at any given time we may get a M_WAIT allocation and that would do it. Note, however, that the drain routines _only_ get called when there are *no* more mbufs (in -STABLE) or clusters (in -CURRENT) left. That means that the mb_map has to be starved and that there are no mbufs on the free lists. They do not get called unless there is total starvation. That's why I mentionned above that perhaps it would be worthwhile to have them called from a different context somewhere from the protocol code when/if the protocol feels that they are necessary. > R > > > > If we don't it seems to me the utility of the drain() fucnction is > > > very very limited.. > > > > > > Regards > > > > > > R > > > > > > -- > > > Randall R. Stewart > > > randall@stewart.chicago.il.us 815-342-5222 (cell phone) -- Bosko Milekic bmilekic@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 13:40:23 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 26AC737B416 for ; Wed, 26 Dec 2001 13:40:15 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011226214014.DVMA6450.rwcrmhc52.attbi.com@InterJet.elischer.org>; Wed, 26 Dec 2001 21:40:14 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id NAA83855; Wed, 26 Dec 2001 13:24:59 -0800 (PST) Date: Wed, 26 Dec 2001 13:24:59 -0800 (PST) From: Julian Elischer To: "Justin C.Walker" Cc: freebsd-net@FreeBSD.ORG Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? In-Reply-To: <8212884A-FA39-11D5-B98A-00306544D642@mac.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org They also have (apparently) a link-layer abstraction that shares some characteristics of Netgraph, but I haven't looked at it yet. On Wed, 26 Dec 2001, Justin C.Walker wrote: > > On Wednesday, December 26, 2001, at 11:37 , George V. Neville-Neil wrote: > > >> I can comment from the Mac OS X perspective... > > > > Thanks! > > > > And one last question: > > > > Did these changes make it back into FreeBSD? > > The short answer is 'no'. > > The longer answer is that noone has had the time or interest to do > this. Now that I'm (hrm) between engagements, I may have some free time > to take a look at it, but as I indicated, the media layer changes are > significant. A lot of what is in FreeBSD now has not been ported to > Darwin (dummynet, ...), so it's a fair amount of work. Unless there is > a strong interest in it, the best that could happen, I think, is that it > sits in the ports section, gathering dust... > > Regards, > > Justin > > -- > /~\ The ASCII Justin C. Walker, Curmudgeon-at-Large > \ / Ribbon Campaign > X Against HTML > / \ Email > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 13:41:16 2001 Delivered-To: freebsd-net@freebsd.org Received: from ardbeg.meer.net (ardbeg.meer.net [209.157.152.23]) by hub.freebsd.org (Postfix) with ESMTP id C9A0D37B405 for ; Wed, 26 Dec 2001 13:41:12 -0800 (PST) Received: from meer.meer.net (mail.meer.net [209.157.152.14]) by ardbeg.meer.net (8.11.3/8.11.3) with ESMTP id fBQLfCD09831; Wed, 26 Dec 2001 13:41:12 -0800 (PST) Received: from neville-neil.com ([209.157.133.226]) by meer.meer.net (8.9.3/8.9.3/meer) with ESMTP id NAA1130889; Wed, 26 Dec 2001 13:40:24 -0800 (PST) Message-Id: <200112262140.NAA1130889@meer.meer.net> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: Jordan Hubbard Cc: "Justin C.Walker" , freebsd-net@FreeBSD.ORG Subject: Re: FreeBSD TCP/IP relation to Mac OS/X? In-Reply-To: Message from Jordan Hubbard of "Wed, 26 Dec 2001 12:05:36 PST." <45230.1009397136@winston.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 26 Dec 2001 13:40:24 -0800 From: "George V. Neville-Neil" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Uhh, thanks, I think. I'll just let them dogs lie for the moment. Later, George -- George V. Neville-Neil gnn@neville-neil.com NIC:GN82 "Those who would trade liberty for temporary security deserve neither" - Benjamin Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 14:33:53 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id D65EB37B416 for ; Wed, 26 Dec 2001 14:33:45 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id B20EEDE541; Wed, 26 Dec 2001 14:33:45 -0800 (PST) Reply-To: From: "Henry Su" To: "Julian Elischer" Cc: Subject: RE: socket call in the kernel Date: Wed, 26 Dec 2001 14:36:16 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I tried your answer 1. It did not succeed. I have a rule to do forwarding: 65534 0 0 fwd 127.0.0.1,8800 tcp from any to any 80 and I have a server listenning on port 8800 at local host. I also modified the ip_fw.c to log forwarding packet: Dec 26 13:33:09 yarn /kernel: Forward packet: src_port:2414 src_ip:-62569000 dst_port:80 dst_ip:1298559960 Dec 26 13:33:15 yarn /kernel: Forward packet: src_port:2414 src_ip:-62569000 dst_port:80 dst_ip:1298559960 My redirect server on port 8800 works perfect, I tried telnet, http etc on 8800, it all works. I run my server @ port 8800 in debug mode, it did not receive forwarded packet from ipfirewall. I am running 4.5 prerelease, with ipfw and bridge, the bridge code had problem earlier, I manully fixed according to the message from the group. Thanks. -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer Sent: Thursday, December 20, 2001 3:08 PM To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel I have two answers: 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] to make the packet that is denied go to a default server listenning on port 8001 2/ there is an in-kernel webserver built using netgraph but it's not public, but you can definitly use the 'ksocket' node to open 'in kernel' sockets and pass the result to an arbitrary node. 1 can do what you want with no kernel programming.. check it out.. man ipfw On Thu, 20 Dec 2001, Henry Su wrote: > Thanks, Julian and Alfred. > > I am trying to redirect the denied http request to a default web site. So my > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when it > will drop the packet. But as you pointed out in earlier email, socket can > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > * Finally, drop the packet. > */ > > > /* my code start debug */ > /* find if it's a http packet */ > dst_port_h = ntohs(dst_port); > if(dst_port_h==80){ > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d dst_ip:%u", > ntohs(src_port), src_ip.s_addr, nt > ohs(dst_port), dst_ip.s_addr); > /*s = 1;*/ > s = socket(AF_INET, SOCK_STREAM, 0); > if (s < 0) { > log(LOG_INFO,"Redirect socket can not be created"); > }else{ > log(LOG_INFO,"Redirect socket is created"); > /* > bzero(&sa, sizeof sa); > sa.sin_family = AF_INET; > sa.sin_port = src_port; > sa.sin_addr.s_addr = src_ip.s_addr; > if (connect(s, (struct sockaddr *)&sa, sizeof sa) < > 0) { > log(LOG_INFO,"connect %d failed", > src_ip.s_addr); > close(s); > }else{ > log(LOG_INFO,"connect %d ok", > src_ip.s_addr); > close(s); > } > */ > /* > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > write(1, buffer, bytes); > */ > } > } > /* end debug */ > return(IP_FW_PORT_DENY_FLAG); > > > -----Original Message----- > From: Julian Elischer [mailto:julian@elischer.org] > Sent: Thursday, December 20, 2001 12:59 PM > To: Henry Su > Cc: freebsd-net@FreeBSD.ORG > Subject: Re: socket call in the kernel > > > > > You cannot do a socket directly but you can indirectly > tell me what you are trying to do and I can help.. > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to add > a > > socket call in the code, it can be compiled, but when it runs into the > code, > > it just crashed. It gave me the "Fatal trap error 12", Memory address is > > wrong. > > > > Can any one tell me if socket call can be used in kernel level? If not, > how > > can I accomplish socket communication in the kernel level? > > > > Thanks. > > > > ------------------------------------------------ > > > > Henry Su > > > > NTT Multimedia Communications Laboratories, Inc. > > > > 250 Cambridge Avenue Suite 300 > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > Tel: +1 650 833 3652 > > > > Fax: +1 650 326 1878 > > > > http://www.nttmcl.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 16:20:17 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id D4D7837B416 for ; Wed, 26 Dec 2001 16:20:07 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011227002007.NFEN6185.rwcrmhc51.attbi.com@InterJet.elischer.org>; Thu, 27 Dec 2001 00:20:07 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id QAA84498; Wed, 26 Dec 2001 16:08:28 -0800 (PST) Date: Wed, 26 Dec 2001 16:08:27 -0800 (PST) From: Julian Elischer To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Dec 2001, Henry Su wrote: > I tried your answer 1. It did not succeed. > > I have a rule to do forwarding: > > 65534 0 0 fwd 127.0.0.1,8800 tcp from any to any 80 > > and I have a server listenning on port 8800 at local host. > > I also modified the ip_fw.c to log forwarding packet: > > Dec 26 13:33:09 yarn /kernel: Forward packet: src_port:2414 > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > Dec 26 13:33:15 yarn /kernel: Forward packet: src_port:2414 > src_ip:-62569000 dst_port:80 dst_ip:1298559960 why not just add a log entry to the rule? also your rule should be a lot more specific about where the packets should be coming from, e.g. recv in fxp0 (or similar) what do you get if you telnet to 80 and telnet to 8800? they should act the same. ipfw add 65534 fwd 127.0.0.1,8800 log from any to me 80 in recv fxp0 > > > My redirect server on port 8800 works perfect, I tried telnet, http etc on > 8800, it all works. I run my server @ port 8800 in debug mode, it did not > receive forwarded packet from ipfirewall. how are you forwarding the packet? > > I am running 4.5 prerelease, with ipfw and bridge, the bridge code had > problem earlier, I manully fixed according to the message from the group. > > Thanks. > > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > Sent: Thursday, December 20, 2001 3:08 PM > To: Henry Su > Cc: freebsd-net@FreeBSD.ORG > Subject: RE: socket call in the kernel > > > > > I have two answers: > > 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] > to make the packet that is denied go to a default server listenning on > port 8001 > > 2/ there is an in-kernel webserver built using netgraph but it's not > public, but you can definitly use the 'ksocket' node to open 'in kernel' > sockets and pass the result to an arbitrary node. > > > 1 can do what you want with no kernel programming.. > check it out.. > > man ipfw > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > Thanks, Julian and Alfred. > > > > I am trying to redirect the denied http request to a default web site. So > my > > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when > it > > will drop the packet. But as you pointed out in earlier email, socket can > > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > > > > > * Finally, drop the packet. > > */ > > > > > > /* my code start debug */ > > /* find if it's a http packet */ > > dst_port_h = ntohs(dst_port); > > if(dst_port_h==80){ > > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d > dst_ip:%u", > > ntohs(src_port), src_ip.s_addr, nt > > ohs(dst_port), dst_ip.s_addr); > > /*s = 1;*/ > > s = socket(AF_INET, SOCK_STREAM, 0); > > if (s < 0) { > > log(LOG_INFO,"Redirect socket can not be > created"); > > }else{ > > log(LOG_INFO,"Redirect socket is created"); > > /* > > bzero(&sa, sizeof sa); > > sa.sin_family = AF_INET; > > sa.sin_port = src_port; > > sa.sin_addr.s_addr = src_ip.s_addr; > > if (connect(s, (struct sockaddr *)&sa, sizeof sa) > < > > 0) { > > log(LOG_INFO,"connect %d failed", > > src_ip.s_addr); > > close(s); > > }else{ > > log(LOG_INFO,"connect %d ok", > > src_ip.s_addr); > > close(s); > > } > > */ > > /* > > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > > write(1, buffer, bytes); > > */ > > } > > } > > /* end debug */ > > return(IP_FW_PORT_DENY_FLAG); > > > > > > -----Original Message----- > > From: Julian Elischer [mailto:julian@elischer.org] > > Sent: Thursday, December 20, 2001 12:59 PM > > To: Henry Su > > Cc: freebsd-net@FreeBSD.ORG > > Subject: Re: socket call in the kernel > > > > > > > > > > You cannot do a socket directly but you can indirectly > > tell me what you are trying to do and I can help.. > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to > add > > a > > > socket call in the code, it can be compiled, but when it runs into the > > code, > > > it just crashed. It gave me the "Fatal trap error 12", Memory address is > > > wrong. > > > > > > Can any one tell me if socket call can be used in kernel level? If not, > > how > > > can I accomplish socket communication in the kernel level? > > > > > > Thanks. > > > > > > ------------------------------------------------ > > > > > > Henry Su > > > > > > NTT Multimedia Communications Laboratories, Inc. > > > > > > 250 Cambridge Avenue Suite 300 > > > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > > > Tel: +1 650 833 3652 > > > > > > Fax: +1 650 326 1878 > > > > > > http://www.nttmcl.com/ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 18:24: 1 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id 9D2EC37B405 for ; Wed, 26 Dec 2001 18:23:47 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id 76D0CDE541; Wed, 26 Dec 2001 18:23:47 -0800 (PST) Reply-To: From: "Henry Su" To: "Julian Elischer" Cc: Subject: RE: socket call in the kernel Date: Wed, 26 Dec 2001 18:26:18 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks a lot for your help. I add "log" into the rule, here's the log info. It seems it does forward or divert to localhost at port 8800. [18:10:13][root@test2:/var/log]$ tail -f security Dec 26 17:50:34 test2 last message repeated 2 times Dec 26 17:51:34 test2 last message repeated 6 times Dec 26 17:51:52 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1037 216.115.102.75:80 in via dc2 Dec 26 17:51:52 test2 /kernel: ipfw: limit 10 reached on entry 65534 Dec 26 17:59:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1041 216.115.102.81:80 in via dc2 Dec 26 17:59:55 test2 last message repeated 7 times Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1041 216.115.102.81:80 in via dc2 Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1042 216.115.102.77:80 in via dc2 Dec 26 18:00:45 test2 /kernel: ipfw: limit 10 reached on entry 65534 Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP 216.69.69.248:1048 216.115.102.82:80 in via dc2 Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP 216.69.69.248:1048 216.115.102.82:80 in via dc2 Dec 26 18:12:14 test2 last message repeated 7 times Dec 26 18:12:38 test2 /kernel: ipfw: 65534 Divert 8800 TCP 216.69.69.248:1049 216.115.102.79:80 in via dc2 Dec 26 18:13:10 test2 last message repeated 7 times Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP 216.69.69.248:1049 216.115.102.79:80 in via dc2 Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP 216.69.69.248:1050 216.115.102.77:80 in via dc2 But my redirection server at port 8800 did not recv these packets somehow. I tried a telnet to the server at port 8800, it works very well. [18:16:00][henrysu@test1:~]$ telnet 216.69.69.254 8800 Trying 216.69.69.254... Connected to dhcp254.nttmcl.com. Escape character is '^]'. 1234 HTTP/1.1 302 Moved Date: Wed, 26 Dec 2001 18:15:11 PST Location: https://216.69.69.254/cgi-bin/login 0 Connection closed by foreign host. Do you have any clue, why the packet can not be received at port 8800. Thanks. -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer Sent: Wednesday, December 26, 2001 4:08 PM To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel On Wed, 26 Dec 2001, Henry Su wrote: > I tried your answer 1. It did not succeed. > > I have a rule to do forwarding: > > 65534 0 0 fwd 127.0.0.1,8800 tcp from any to any 80 > > and I have a server listenning on port 8800 at local host. > > I also modified the ip_fw.c to log forwarding packet: > > Dec 26 13:33:09 yarn /kernel: Forward packet: src_port:2414 > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > Dec 26 13:33:15 yarn /kernel: Forward packet: src_port:2414 > src_ip:-62569000 dst_port:80 dst_ip:1298559960 why not just add a log entry to the rule? also your rule should be a lot more specific about where the packets should be coming from, e.g. recv in fxp0 (or similar) what do you get if you telnet to 80 and telnet to 8800? they should act the same. ipfw add 65534 fwd 127.0.0.1,8800 log from any to me 80 in recv fxp0 > > > My redirect server on port 8800 works perfect, I tried telnet, http etc on > 8800, it all works. I run my server @ port 8800 in debug mode, it did not > receive forwarded packet from ipfirewall. how are you forwarding the packet? > > I am running 4.5 prerelease, with ipfw and bridge, the bridge code had > problem earlier, I manully fixed according to the message from the group. > > Thanks. > > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > Sent: Thursday, December 20, 2001 3:08 PM > To: Henry Su > Cc: freebsd-net@FreeBSD.ORG > Subject: RE: socket call in the kernel > > > > > I have two answers: > > 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] > to make the packet that is denied go to a default server listenning on > port 8001 > > 2/ there is an in-kernel webserver built using netgraph but it's not > public, but you can definitly use the 'ksocket' node to open 'in kernel' > sockets and pass the result to an arbitrary node. > > > 1 can do what you want with no kernel programming.. > check it out.. > > man ipfw > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > Thanks, Julian and Alfred. > > > > I am trying to redirect the denied http request to a default web site. So > my > > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when > it > > will drop the packet. But as you pointed out in earlier email, socket can > > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > > > > > * Finally, drop the packet. > > */ > > > > > > /* my code start debug */ > > /* find if it's a http packet */ > > dst_port_h = ntohs(dst_port); > > if(dst_port_h==80){ > > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d > dst_ip:%u", > > ntohs(src_port), src_ip.s_addr, nt > > ohs(dst_port), dst_ip.s_addr); > > /*s = 1;*/ > > s = socket(AF_INET, SOCK_STREAM, 0); > > if (s < 0) { > > log(LOG_INFO,"Redirect socket can not be > created"); > > }else{ > > log(LOG_INFO,"Redirect socket is created"); > > /* > > bzero(&sa, sizeof sa); > > sa.sin_family = AF_INET; > > sa.sin_port = src_port; > > sa.sin_addr.s_addr = src_ip.s_addr; > > if (connect(s, (struct sockaddr *)&sa, sizeof sa) > < > > 0) { > > log(LOG_INFO,"connect %d failed", > > src_ip.s_addr); > > close(s); > > }else{ > > log(LOG_INFO,"connect %d ok", > > src_ip.s_addr); > > close(s); > > } > > */ > > /* > > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > > write(1, buffer, bytes); > > */ > > } > > } > > /* end debug */ > > return(IP_FW_PORT_DENY_FLAG); > > > > > > -----Original Message----- > > From: Julian Elischer [mailto:julian@elischer.org] > > Sent: Thursday, December 20, 2001 12:59 PM > > To: Henry Su > > Cc: freebsd-net@FreeBSD.ORG > > Subject: Re: socket call in the kernel > > > > > > > > > > You cannot do a socket directly but you can indirectly > > tell me what you are trying to do and I can help.. > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to > add > > a > > > socket call in the code, it can be compiled, but when it runs into the > > code, > > > it just crashed. It gave me the "Fatal trap error 12", Memory address is > > > wrong. > > > > > > Can any one tell me if socket call can be used in kernel level? If not, > > how > > > can I accomplish socket communication in the kernel level? > > > > > > Thanks. > > > > > > ------------------------------------------------ > > > > > > Henry Su > > > > > > NTT Multimedia Communications Laboratories, Inc. > > > > > > 250 Cambridge Avenue Suite 300 > > > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > > > Tel: +1 650 833 3652 > > > > > > Fax: +1 650 326 1878 > > > > > > http://www.nttmcl.com/ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 19:40:27 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id AFD9637B405 for ; Wed, 26 Dec 2001 19:40:13 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011227034007.SKOD6185.rwcrmhc51.attbi.com@InterJet.elischer.org>; Thu, 27 Dec 2001 03:40:07 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id TAA85200; Wed, 26 Dec 2001 19:26:20 -0800 (PST) Date: Wed, 26 Dec 2001 19:26:18 -0800 (PST) From: Julian Elischer To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is your server binding to 216.115.102.75? if you telnet to 127.0.0.1 does it work? On Wed, 26 Dec 2001, Henry Su wrote: > Thanks a lot for your help. > > I add "log" into the rule, here's the log info. It seems it does forward or > divert to localhost at port 8800. > > [18:10:13][root@test2:/var/log]$ tail -f security > Dec 26 17:50:34 test2 last message repeated 2 times > Dec 26 17:51:34 test2 last message repeated 6 times > Dec 26 17:51:52 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > 216.69.69.248:1037 216.115.102.75:80 in via dc2 > Dec 26 17:51:52 test2 /kernel: ipfw: limit 10 reached on entry 65534 > Dec 26 17:59:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > Dec 26 17:59:55 test2 last message repeated 7 times > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > 216.69.69.248:1042 216.115.102.77:80 in via dc2 > Dec 26 18:00:45 test2 /kernel: ipfw: limit 10 reached on entry 65534 > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > Dec 26 18:12:14 test2 last message repeated 7 times > Dec 26 18:12:38 test2 /kernel: ipfw: 65534 Divert 8800 TCP > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > Dec 26 18:13:10 test2 last message repeated 7 times > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > 216.69.69.248:1050 216.115.102.77:80 in via dc2 > > > But my redirection server at port 8800 did not recv these packets somehow. I > tried a telnet to the server at port 8800, it works very well. > > [18:16:00][henrysu@test1:~]$ telnet 216.69.69.254 8800 > Trying 216.69.69.254... > Connected to dhcp254.nttmcl.com. > Escape character is '^]'. > 1234 > > HTTP/1.1 302 Moved > Date: Wed, 26 Dec 2001 18:15:11 PST > Location: https://216.69.69.254/cgi-bin/login > 0 > > > Connection closed by foreign host. > > > Do you have any clue, why the packet can not be received at port 8800. > > > Thanks. > > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > Sent: Wednesday, December 26, 2001 4:08 PM > To: Henry Su > Cc: freebsd-net@FreeBSD.ORG > Subject: RE: socket call in the kernel > > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > I tried your answer 1. It did not succeed. > > > > I have a rule to do forwarding: > > > > 65534 0 0 fwd 127.0.0.1,8800 tcp from any to any 80 > > > > and I have a server listenning on port 8800 at local host. > > > > I also modified the ip_fw.c to log forwarding packet: > > > > Dec 26 13:33:09 yarn /kernel: Forward packet: src_port:2414 > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > Dec 26 13:33:15 yarn /kernel: Forward packet: src_port:2414 > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > why not just add a log entry to the rule? > also your rule should be a lot more specific about where the packets > should be coming from, > > e.g. recv in fxp0 > (or similar) > > what do you get if you telnet to 80 and telnet to 8800? > they should act the same. > > ipfw add 65534 fwd 127.0.0.1,8800 log from any to me 80 in recv fxp0 > > > > > > > > > My redirect server on port 8800 works perfect, I tried telnet, http etc on > > 8800, it all works. I run my server @ port 8800 in debug mode, it did not > > receive forwarded packet from ipfirewall. > > how are you forwarding the packet? > > > > > I am running 4.5 prerelease, with ipfw and bridge, the bridge code had > > problem earlier, I manully fixed according to the message from the group. > > > > Thanks. > > > > -----Original Message----- > > From: owner-freebsd-net@FreeBSD.ORG > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > > Sent: Thursday, December 20, 2001 3:08 PM > > To: Henry Su > > Cc: freebsd-net@FreeBSD.ORG > > Subject: RE: socket call in the kernel > > > > > > > > > > I have two answers: > > > > 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] > > to make the packet that is denied go to a default server listenning on > > port 8001 > > > > 2/ there is an in-kernel webserver built using netgraph but it's not > > public, but you can definitly use the 'ksocket' node to open 'in kernel' > > sockets and pass the result to an arbitrary node. > > > > > > 1 can do what you want with no kernel programming.. > > check it out.. > > > > man ipfw > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > Thanks, Julian and Alfred. > > > > > > I am trying to redirect the denied http request to a default web site. > So > > my > > > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when > > it > > > will drop the packet. But as you pointed out in earlier email, socket > can > > > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > > > > > > > > > * Finally, drop the packet. > > > */ > > > > > > > > > /* my code start debug */ > > > /* find if it's a http packet */ > > > dst_port_h = ntohs(dst_port); > > > if(dst_port_h==80){ > > > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d > > dst_ip:%u", > > > ntohs(src_port), src_ip.s_addr, nt > > > ohs(dst_port), dst_ip.s_addr); > > > /*s = 1;*/ > > > s = socket(AF_INET, SOCK_STREAM, 0); > > > if (s < 0) { > > > log(LOG_INFO,"Redirect socket can not be > > created"); > > > }else{ > > > log(LOG_INFO,"Redirect socket is created"); > > > /* > > > bzero(&sa, sizeof sa); > > > sa.sin_family = AF_INET; > > > sa.sin_port = src_port; > > > sa.sin_addr.s_addr = src_ip.s_addr; > > > if (connect(s, (struct sockaddr *)&sa, sizeof > sa) > > < > > > 0) { > > > log(LOG_INFO,"connect %d failed", > > > src_ip.s_addr); > > > close(s); > > > }else{ > > > log(LOG_INFO,"connect %d ok", > > > src_ip.s_addr); > > > close(s); > > > } > > > */ > > > /* > > > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > > > write(1, buffer, bytes); > > > */ > > > } > > > } > > > /* end debug */ > > > return(IP_FW_PORT_DENY_FLAG); > > > > > > > > > -----Original Message----- > > > From: Julian Elischer [mailto:julian@elischer.org] > > > Sent: Thursday, December 20, 2001 12:59 PM > > > To: Henry Su > > > Cc: freebsd-net@FreeBSD.ORG > > > Subject: Re: socket call in the kernel > > > > > > > > > > > > > > > You cannot do a socket directly but you can indirectly > > > tell me what you are trying to do and I can help.. > > > > > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to > > add > > > a > > > > socket call in the code, it can be compiled, but when it runs into the > > > code, > > > > it just crashed. It gave me the "Fatal trap error 12", Memory address > is > > > > wrong. > > > > > > > > Can any one tell me if socket call can be used in kernel level? If > not, > > > how > > > > can I accomplish socket communication in the kernel level? > > > > > > > > Thanks. > > > > > > > > ------------------------------------------------ > > > > > > > > Henry Su > > > > > > > > NTT Multimedia Communications Laboratories, Inc. > > > > > > > > 250 Cambridge Avenue Suite 300 > > > > > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > > > > > Tel: +1 650 833 3652 > > > > > > > > Fax: +1 650 326 1878 > > > > > > > > http://www.nttmcl.com/ > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 20:10:50 2001 Delivered-To: freebsd-net@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 6D3FC37B405 for ; Wed, 26 Dec 2001 20:10:48 -0800 (PST) Received: (qmail 34984 invoked from network); 27 Dec 2001 04:10:19 -0000 Received: from localhost.nexgen.com (HELO alexus) (127.0.0.1) by localhost.nexgen.com with SMTP; 27 Dec 2001 04:10:19 -0000 Message-ID: <000d01c18e8c$81e15b40$0100a8c0@alexus> From: "alexus" To: Subject: jail & ftp Date: Wed, 26 Dec 2001 23:11:06 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello I'm not quite sure if I'm posting to right list but I'll try anyway, all right here it goes.. I have set up jail and inside of this jail i run ftp (proftpd) using ipf i was able to forward all traffic for port 21 and 20 to my jail cell, however it only works if person uses PORT mode instead of PASV mode, many people prefer/uses PASV mode. here is the question: does anyone knows or even is it possible to make it work in PASV mode instead of PORT? I mean PORT mode isn't that bad, however people who's behind NAT, they can't use PORT mode it has to be PASV for them and we all know how much N.A.T. is popular these days I don't know anyone who's going on internet otherwise.. anyway I appreciate any suggestions/tips/tricks thanks in advance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Wed Dec 26 21:33:38 2001 Delivered-To: freebsd-net@freebsd.org Received: from mgw-x2.nokia.com (mgw-x2.nokia.com [131.228.20.22]) by hub.freebsd.org (Postfix) with ESMTP id 4193837B405 for ; Wed, 26 Dec 2001 21:33:35 -0800 (PST) Received: from esvir06nok.ntc.nokia.com (esvir06nokt.ntc.nokia.com [172.21.143.38]) by mgw-x2.nokia.com (Switch-2.1.0/Switch-2.1.0) with ESMTP id fBR5XV925298 for ; Thu, 27 Dec 2001 07:33:31 +0200 (EET) Received: from esebh01nok.ntc.nokia.com (unverified) by esvir06nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id for ; Thu, 27 Dec 2001 07:33:32 +0200 Received: by esebh01nok with Internet Mail Service (5.5.2652.78) id ; Thu, 27 Dec 2001 07:33:32 +0200 Message-ID: <4AE1AC3D692F55488F2D03518907B8AD182354@beebe001.NOE.Nokia.com> From: chunan.li@nokia.com To: freebsd-net@freebsd.org Subject: The pccardd can't configure the Xircom CE3 Pcmcia card in 4.4 Fre eBSD. Date: Thu, 27 Dec 2001 07:31:36 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2652.78) content-class: urn:content-classes:message Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Could you tell me how to configure the pcmcia card in my IBM Thinkpad t20 laptop with FreeBSD v4.4? The pccardd daemon cann't configure the driver. By the way, how can I configure the second pcmica card? Thx! ChunAn Li ---------------------------------------------------- Advanced Internet Technologies Group Communication Systems Laboratory Nokia Research Center Email: chunan.li@nokia.com MP: +86 13601028331 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 1: 4:48 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id 5809A37B405 for ; Thu, 27 Dec 2001 01:04:26 -0800 (PST) Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10]) by ns1.nttmcl.com (Postfix) with ESMTP id 07FD9DE541; Thu, 27 Dec 2001 01:04:26 -0800 (PST) Date: Thu, 27 Dec 2001 01:04:25 -0800 (PST) From: Henry Su To: Julian Elischer Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, it works: [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 12334 HTTP/1.1 302 Moved Date: Thu, 27 Dec 2001 00:53:18 PST Location: https://216.69.69.254/cgi-bin/login 0 Connection closed by foreign host. I found the problem is that the ipfw forwarding does not change the dst ip address, so that my redirection socket server can not read these fwd packet (since the dst ip is not correct). The solution can be change the ip_fw.c to modify dst ip address for the forwarding packet, but I do not know how to do it. It has next_hop for fwd. I do not know how to do packet manupunation in ip_fw.c's chk func. Thanks a lot. ************** Henry Su * NTT MCL * ************** On Wed, 26 Dec 2001, Julian Elischer wrote: > > > is your server binding to 216.115.102.75? > if you telnet to 127.0.0.1 does it work? > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > Thanks a lot for your help. > > > > I add "log" into the rule, here's the log info. It seems it does forward or > > divert to localhost at port 8800. > > > > [18:10:13][root@test2:/var/log]$ tail -f security > > Dec 26 17:50:34 test2 last message repeated 2 times > > Dec 26 17:51:34 test2 last message repeated 6 times > > Dec 26 17:51:52 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > 216.69.69.248:1037 216.115.102.75:80 in via dc2 > > Dec 26 17:51:52 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > Dec 26 17:59:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > Dec 26 17:59:55 test2 last message repeated 7 times > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > 216.69.69.248:1042 216.115.102.77:80 in via dc2 > > Dec 26 18:00:45 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > Dec 26 18:12:14 test2 last message repeated 7 times > > Dec 26 18:12:38 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > Dec 26 18:13:10 test2 last message repeated 7 times > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1050 216.115.102.77:80 in via dc2 > > > > > > But my redirection server at port 8800 did not recv these packets somehow. I > > tried a telnet to the server at port 8800, it works very well. > > > > [18:16:00][henrysu@test1:~]$ telnet 216.69.69.254 8800 > > Trying 216.69.69.254... > > Connected to dhcp254.nttmcl.com. > > Escape character is '^]'. > > 1234 > > > > HTTP/1.1 302 Moved > > Date: Wed, 26 Dec 2001 18:15:11 PST > > Location: https://216.69.69.254/cgi-bin/login > > 0 > > > > > > Connection closed by foreign host. > > > > > > Do you have any clue, why the packet can not be received at port 8800. > > > > > > Thanks. > > > > -----Original Message----- > > From: owner-freebsd-net@FreeBSD.ORG > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > > Sent: Wednesday, December 26, 2001 4:08 PM > > To: Henry Su > > Cc: freebsd-net@FreeBSD.ORG > > Subject: RE: socket call in the kernel > > > > > > > > > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > > > I tried your answer 1. It did not succeed. > > > > > > I have a rule to do forwarding: > > > > > > 65534 0 0 fwd 127.0.0.1,8800 tcp from any to any 80 > > > > > > and I have a server listenning on port 8800 at local host. > > > > > > I also modified the ip_fw.c to log forwarding packet: > > > > > > Dec 26 13:33:09 yarn /kernel: Forward packet: src_port:2414 > > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > > Dec 26 13:33:15 yarn /kernel: Forward packet: src_port:2414 > > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > > > why not just add a log entry to the rule? > > also your rule should be a lot more specific about where the packets > > should be coming from, > > > > e.g. recv in fxp0 > > (or similar) > > > > what do you get if you telnet to 80 and telnet to 8800? > > they should act the same. > > > > ipfw add 65534 fwd 127.0.0.1,8800 log from any to me 80 in recv fxp0 > > > > > > > > > > > > > > > My redirect server on port 8800 works perfect, I tried telnet, http etc on > > > 8800, it all works. I run my server @ port 8800 in debug mode, it did not > > > receive forwarded packet from ipfirewall. > > > > how are you forwarding the packet? > > > > > > > > I am running 4.5 prerelease, with ipfw and bridge, the bridge code had > > > problem earlier, I manully fixed according to the message from the group. > > > > > > Thanks. > > > > > > -----Original Message----- > > > From: owner-freebsd-net@FreeBSD.ORG > > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > > > Sent: Thursday, December 20, 2001 3:08 PM > > > To: Henry Su > > > Cc: freebsd-net@FreeBSD.ORG > > > Subject: RE: socket call in the kernel > > > > > > > > > > > > > > > I have two answers: > > > > > > 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] > > > to make the packet that is denied go to a default server listenning on > > > port 8001 > > > > > > 2/ there is an in-kernel webserver built using netgraph but it's not > > > public, but you can definitly use the 'ksocket' node to open 'in kernel' > > > sockets and pass the result to an arbitrary node. > > > > > > > > > 1 can do what you want with no kernel programming.. > > > check it out.. > > > > > > man ipfw > > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > > > Thanks, Julian and Alfred. > > > > > > > > I am trying to redirect the denied http request to a default web site. > > So > > > my > > > > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when > > > it > > > > will drop the packet. But as you pointed out in earlier email, socket > > can > > > > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > > > > > > > > > > > > > * Finally, drop the packet. > > > > */ > > > > > > > > > > > > /* my code start debug */ > > > > /* find if it's a http packet */ > > > > dst_port_h = ntohs(dst_port); > > > > if(dst_port_h==80){ > > > > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d > > > dst_ip:%u", > > > > ntohs(src_port), src_ip.s_addr, nt > > > > ohs(dst_port), dst_ip.s_addr); > > > > /*s = 1;*/ > > > > s = socket(AF_INET, SOCK_STREAM, 0); > > > > if (s < 0) { > > > > log(LOG_INFO,"Redirect socket can not be > > > created"); > > > > }else{ > > > > log(LOG_INFO,"Redirect socket is created"); > > > > /* > > > > bzero(&sa, sizeof sa); > > > > sa.sin_family = AF_INET; > > > > sa.sin_port = src_port; > > > > sa.sin_addr.s_addr = src_ip.s_addr; > > > > if (connect(s, (struct sockaddr *)&sa, sizeof > > sa) > > > < > > > > 0) { > > > > log(LOG_INFO,"connect %d failed", > > > > src_ip.s_addr); > > > > close(s); > > > > }else{ > > > > log(LOG_INFO,"connect %d ok", > > > > src_ip.s_addr); > > > > close(s); > > > > } > > > > */ > > > > /* > > > > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > > > > write(1, buffer, bytes); > > > > */ > > > > } > > > > } > > > > /* end debug */ > > > > return(IP_FW_PORT_DENY_FLAG); > > > > > > > > > > > > -----Original Message----- > > > > From: Julian Elischer [mailto:julian@elischer.org] > > > > Sent: Thursday, December 20, 2001 12:59 PM > > > > To: Henry Su > > > > Cc: freebsd-net@FreeBSD.ORG > > > > Subject: Re: socket call in the kernel > > > > > > > > > > > > > > > > > > > > You cannot do a socket directly but you can indirectly > > > > tell me what you are trying to do and I can help.. > > > > > > > > > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > > > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to > > > add > > > > a > > > > > socket call in the code, it can be compiled, but when it runs into the > > > > code, > > > > > it just crashed. It gave me the "Fatal trap error 12", Memory address > > is > > > > > wrong. > > > > > > > > > > Can any one tell me if socket call can be used in kernel level? If > > not, > > > > how > > > > > can I accomplish socket communication in the kernel level? > > > > > > > > > > Thanks. > > > > > > > > > > ------------------------------------------------ > > > > > > > > > > Henry Su > > > > > > > > > > NTT Multimedia Communications Laboratories, Inc. > > > > > > > > > > 250 Cambridge Avenue Suite 300 > > > > > > > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > > > > > > > Tel: +1 650 833 3652 > > > > > > > > > > Fax: +1 650 326 1878 > > > > > > > > > > http://www.nttmcl.com/ > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 1:29:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id B067437B405 for ; Thu, 27 Dec 2001 01:29:28 -0800 (PST) Received: from dialup-209.245.143.185.dial1.sanjose1.level3.net ([209.245.143.185] helo=blossom.cjclark.org) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16JWqk-0005RX-00; Thu, 27 Dec 2001 01:29:21 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBR9Sti04463; Thu, 27 Dec 2001 01:28:55 -0800 (PST) (envelope-from cjc) Date: Thu, 27 Dec 2001 01:28:55 -0800 From: "Crist J . Clark" To: Henry Su Cc: Julian Elischer , freebsd-net@FreeBSD.ORG Subject: Re: socket call in the kernel Message-ID: <20011227012855.F2090@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from henrysu@nttmcl.com on Thu, Dec 27, 2001 at 01:04:25AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 27, 2001 at 01:04:25AM -0800, Henry Su wrote: > Yes, it works: > > [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 12334 > > HTTP/1.1 302 Moved > Date: Thu, 27 Dec 2001 00:53:18 PST > Location: https://216.69.69.254/cgi-bin/login > 0 > > > Connection closed by foreign host. > > > I found the problem is that the ipfw forwarding does not change the dst ip > address, so that my redirection socket server can not read these > fwd packet (since the dst ip is not correct). The solution can be change > the ip_fw.c to modify dst ip address for the forwarding packet, but I do > not know how to do it. It has next_hop for fwd. I do not know how to do > packet manupunation in ip_fw.c's chk func. That's what I figured your problem was, but I never got around to asking for you to check it. 'fwd' rules _deliberately_ do not actually modify any data in the packet. You are looking for something more like NAT. natd(8) may be overkill for your needs. There are other, more lightweight TCP forwarders in the ports collection. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 1:33: 4 2001 Delivered-To: freebsd-net@freebsd.org Received: from hawk.prod.itd.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id AADBA37B419 for ; Thu, 27 Dec 2001 01:33:00 -0800 (PST) Received: from dialup-209.245.143.185.dial1.sanjose1.level3.net ([209.245.143.185] helo=blossom.cjclark.org) by hawk.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16JWuC-0006fS-00; Thu, 27 Dec 2001 01:32:56 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBR9WZ004478; Thu, 27 Dec 2001 01:32:35 -0800 (PST) (envelope-from cjc) Date: Thu, 27 Dec 2001 01:32:35 -0800 From: "Crist J . Clark" To: alexus Cc: freebsd-net@FreeBSD.ORG Subject: Re: jail & ftp Message-ID: <20011227013235.G2090@blossom.cjclark.org> References: <000d01c18e8c$81e15b40$0100a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000d01c18e8c$81e15b40$0100a8c0@alexus>; from ml@db.nexgen.com on Wed, Dec 26, 2001 at 11:11:06PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Dec 26, 2001 at 11:11:06PM -0500, alexus wrote: > Hello > > I'm not quite sure if I'm posting to right list but I'll try anyway, all > right here it goes.. > > I have set up jail and inside of this jail i run ftp (proftpd) using ipf i > was able to forward all traffic for port 21 and 20 to my jail cell, however > it only works if person uses PORT mode instead of PASV mode, many people > prefer/uses PASV mode. > > here is the question: > > does anyone knows or even is it possible to make it work in PASV mode > instead of PORT? Sure. Why are you using ipf(8) (well, I guess ipnat(8) actually) to forward connections to the jail? Why don't you give the jail the IP address that people are trying to connect to? This makes the NAT games unecessary. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 1:40:26 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 64AB237B405; Thu, 27 Dec 2001 01:40:20 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011227094020.TNNI6450.rwcrmhc52.attbi.com@InterJet.elischer.org>; Thu, 27 Dec 2001 09:40:20 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id BAA86463; Thu, 27 Dec 2001 01:32:40 -0800 (PST) Date: Thu, 27 Dec 2001 01:32:39 -0800 (PST) From: Julian Elischer To: "Crist J . Clark" Cc: Henry Su , freebsd-net@FreeBSD.ORG Subject: Re: socket call in the kernel In-Reply-To: <20011227012855.F2090@blossom.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yes, but there is no need to change the packet.. fwd will do exactly what he wants as soon as I can get the network topology worked out :-) On Thu, 27 Dec 2001, Crist J . Clark wrote: > On Thu, Dec 27, 2001 at 01:04:25AM -0800, Henry Su wrote: > > Yes, it works: > > > > [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > 12334 > > > > HTTP/1.1 302 Moved > > Date: Thu, 27 Dec 2001 00:53:18 PST > > Location: https://216.69.69.254/cgi-bin/login > > 0 > > > > > > Connection closed by foreign host. > > > > > > I found the problem is that the ipfw forwarding does not change the dst ip > > address, so that my redirection socket server can not read these > > fwd packet (since the dst ip is not correct). The solution can be change > > the ip_fw.c to modify dst ip address for the forwarding packet, but I do > > not know how to do it. It has next_hop for fwd. I do not know how to do > > packet manupunation in ip_fw.c's chk func. > > That's what I figured your problem was, but I never got around to > asking for you to check it. > > 'fwd' rules _deliberately_ do not actually modify any data in the > packet. You are looking for something more like NAT. natd(8) may be > overkill for your needs. There are other, more lightweight TCP > forwarders in the ports collection. > -- > "It's always funny until someone gets hurt. Then it's hilarious." > > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 1:40:44 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id A421237B416 for ; Thu, 27 Dec 2001 01:40:14 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011227094013.TNMR6450.rwcrmhc52.attbi.com@InterJet.elischer.org>; Thu, 27 Dec 2001 09:40:13 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id BAA86447; Thu, 27 Dec 2001 01:27:12 -0800 (PST) Date: Thu, 27 Dec 2001 01:27:10 -0800 (PST) From: Julian Elischer To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Dec 2001, Henry Su wrote: > Yes, it works: > > [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 12334 > > HTTP/1.1 302 Moved > Date: Thu, 27 Dec 2001 00:53:18 PST > Location: https://216.69.69.254/cgi-bin/login > 0 > > > Connection closed by foreign host. > > > I found the problem is that the ipfw forwarding does not change the dst ip > address, so that my redirection socket server can not read these > fwd packet (since the dst ip is not correct). The solution can be change > the ip_fw.c to modify dst ip address for the forwarding packet, but I do > not know how to do it. It has next_hop for fwd. I do not know how to do > packet manupunation in ip_fw.c's chk func. You don't need to change the dest addr in the proxy server.. that's what fwd does, it FORCES the local socket to accept a packet to a foreign address. (believe it or not) I have a small patch that may help, but first, please draw your setup... which rules do you have on which machines? I've done this many times if it's not working it's because I do not understand your network correctly if on the server, you telnet to port 80 of the address in the forward rule in the ipfw list on your server (you need to have rules on both machines obviously) you should see your telnet redirected to port 8800 of the local machine, even if the address in the rule set is not a local address. please draw your network and I will give you a set of rules that work. julian > > Thanks a lot. > > > > ************** > Henry Su * > NTT MCL * > ************** > > On Wed, 26 Dec 2001, Julian Elischer wrote: > > > > > > > is your server binding to 216.115.102.75? > > if you telnet to 127.0.0.1 does it work? > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > > > Thanks a lot for your help. > > > > > > I add "log" into the rule, here's the log info. It seems it does forward or > > > divert to localhost at port 8800. > > > > > > [18:10:13][root@test2:/var/log]$ tail -f security > > > Dec 26 17:50:34 test2 last message repeated 2 times > > > Dec 26 17:51:34 test2 last message repeated 6 times > > > Dec 26 17:51:52 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1037 216.115.102.75:80 in via dc2 > > > Dec 26 17:51:52 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > > Dec 26 17:59:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > > Dec 26 17:59:55 test2 last message repeated 7 times > > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1042 216.115.102.77:80 in via dc2 > > > Dec 26 18:00:45 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > > Dec 26 18:12:14 test2 last message repeated 7 times > > > Dec 26 18:12:38 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > > Dec 26 18:13:10 test2 last message repeated 7 times > > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1050 216.115.102.77:80 in via dc2 > > > > > > > > > But my redirection server at port 8800 did not recv these packets somehow. I > > > tried a telnet to the server at port 8800, it works very well. > > > > > > [18:16:00][henrysu@test1:~]$ telnet 216.69.69.254 8800 > > > Trying 216.69.69.254... > > > Connected to dhcp254.nttmcl.com. > > > Escape character is '^]'. > > > 1234 > > > > > > HTTP/1.1 302 Moved > > > Date: Wed, 26 Dec 2001 18:15:11 PST > > > Location: https://216.69.69.254/cgi-bin/login > > > 0 > > > > > > > > > Connection closed by foreign host. > > > > > > > > > Do you have any clue, why the packet can not be received at port 8800. > > > > > > > > > Thanks. > > > > > > -----Original Message----- > > > From: owner-freebsd-net@FreeBSD.ORG > > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > > > Sent: Wednesday, December 26, 2001 4:08 PM > > > To: Henry Su > > > Cc: freebsd-net@FreeBSD.ORG > > > Subject: RE: socket call in the kernel > > > > > > > > > > > > > > > > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > > > > > I tried your answer 1. It did not succeed. > > > > > > > > I have a rule to do forwarding: > > > > > > > > 65534 0 0 fwd 127.0.0.1,8800 tcp from any to any 80 > > > > > > > > and I have a server listenning on port 8800 at local host. > > > > > > > > I also modified the ip_fw.c to log forwarding packet: > > > > > > > > Dec 26 13:33:09 yarn /kernel: Forward packet: src_port:2414 > > > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > > > Dec 26 13:33:15 yarn /kernel: Forward packet: src_port:2414 > > > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > > > > > why not just add a log entry to the rule? > > > also your rule should be a lot more specific about where the packets > > > should be coming from, > > > > > > e.g. recv in fxp0 > > > (or similar) > > > > > > what do you get if you telnet to 80 and telnet to 8800? > > > they should act the same. > > > > > > ipfw add 65534 fwd 127.0.0.1,8800 log from any to me 80 in recv fxp0 > > > > > > > > > > > > > > > > > > > > > My redirect server on port 8800 works perfect, I tried telnet, http etc on > > > > 8800, it all works. I run my server @ port 8800 in debug mode, it did not > > > > receive forwarded packet from ipfirewall. > > > > > > how are you forwarding the packet? > > > > > > > > > > > I am running 4.5 prerelease, with ipfw and bridge, the bridge code had > > > > problem earlier, I manully fixed according to the message from the group. > > > > > > > > Thanks. > > > > > > > > -----Original Message----- > > > > From: owner-freebsd-net@FreeBSD.ORG > > > > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > > > > Sent: Thursday, December 20, 2001 3:08 PM > > > > To: Henry Su > > > > Cc: freebsd-net@FreeBSD.ORG > > > > Subject: RE: socket call in the kernel > > > > > > > > > > > > > > > > > > > > I have two answers: > > > > > > > > 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] > > > > to make the packet that is denied go to a default server listenning on > > > > port 8001 > > > > > > > > 2/ there is an in-kernel webserver built using netgraph but it's not > > > > public, but you can definitly use the 'ksocket' node to open 'in kernel' > > > > sockets and pass the result to an arbitrary node. > > > > > > > > > > > > 1 can do what you want with no kernel programming.. > > > > check it out.. > > > > > > > > man ipfw > > > > > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > > > > > Thanks, Julian and Alfred. > > > > > > > > > > I am trying to redirect the denied http request to a default web site. > > > So > > > > my > > > > > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when > > > > it > > > > > will drop the packet. But as you pointed out in earlier email, socket > > > can > > > > > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > > > > > > > > > > > > > > > > > * Finally, drop the packet. > > > > > */ > > > > > > > > > > > > > > > /* my code start debug */ > > > > > /* find if it's a http packet */ > > > > > dst_port_h = ntohs(dst_port); > > > > > if(dst_port_h==80){ > > > > > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d > > > > dst_ip:%u", > > > > > ntohs(src_port), src_ip.s_addr, nt > > > > > ohs(dst_port), dst_ip.s_addr); > > > > > /*s = 1;*/ > > > > > s = socket(AF_INET, SOCK_STREAM, 0); > > > > > if (s < 0) { > > > > > log(LOG_INFO,"Redirect socket can not be > > > > created"); > > > > > }else{ > > > > > log(LOG_INFO,"Redirect socket is created"); > > > > > /* > > > > > bzero(&sa, sizeof sa); > > > > > sa.sin_family = AF_INET; > > > > > sa.sin_port = src_port; > > > > > sa.sin_addr.s_addr = src_ip.s_addr; > > > > > if (connect(s, (struct sockaddr *)&sa, sizeof > > > sa) > > > > < > > > > > 0) { > > > > > log(LOG_INFO,"connect %d failed", > > > > > src_ip.s_addr); > > > > > close(s); > > > > > }else{ > > > > > log(LOG_INFO,"connect %d ok", > > > > > src_ip.s_addr); > > > > > close(s); > > > > > } > > > > > */ > > > > > /* > > > > > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > > > > > write(1, buffer, bytes); > > > > > */ > > > > > } > > > > > } > > > > > /* end debug */ > > > > > return(IP_FW_PORT_DENY_FLAG); > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Julian Elischer [mailto:julian@elischer.org] > > > > > Sent: Thursday, December 20, 2001 12:59 PM > > > > > To: Henry Su > > > > > Cc: freebsd-net@FreeBSD.ORG > > > > > Subject: Re: socket call in the kernel > > > > > > > > > > > > > > > > > > > > > > > > > You cannot do a socket directly but you can indirectly > > > > > tell me what you are trying to do and I can help.. > > > > > > > > > > > > > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > > > > > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to > > > > add > > > > > a > > > > > > socket call in the code, it can be compiled, but when it runs into the > > > > > code, > > > > > > it just crashed. It gave me the "Fatal trap error 12", Memory address > > > is > > > > > > wrong. > > > > > > > > > > > > Can any one tell me if socket call can be used in kernel level? If > > > not, > > > > > how > > > > > > can I accomplish socket communication in the kernel level? > > > > > > > > > > > > Thanks. > > > > > > > > > > > > ------------------------------------------------ > > > > > > > > > > > > Henry Su > > > > > > > > > > > > NTT Multimedia Communications Laboratories, Inc. > > > > > > > > > > > > 250 Cambridge Avenue Suite 300 > > > > > > > > > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > > > > > > > > > Tel: +1 650 833 3652 > > > > > > > > > > > > Fax: +1 650 326 1878 > > > > > > > > > > > > http://www.nttmcl.com/ > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 10:15:24 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id 88BD637B41A for ; Thu, 27 Dec 2001 10:15:20 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id 5FC12DE541; Thu, 27 Dec 2001 10:15:20 -0800 (PST) Reply-To: From: "Henry Su" To: "Julian Elischer" Cc: Subject: RE: socket call in the kernel Date: Thu, 27 Dec 2001 10:17:53 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks a lot Julian. Please let me know if u need more info. My goal is using test2 as authentication server, when http request pass through test2 box, test2 will redirect to an authentication url on itself. __________ ___________________ | |crossover cable | | |test1 |---------------->| test2(ipfw,proxy)|-->router->Internet |_________| |__________________| test2 has ipfw and a proxy server for redirection, it is configured as a bridge, one interface has ip address, one interface does not, which test1 is connected to. The rule for forwarding is: #Forward no valid http packet to local authentication ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80 For example, here's 2 cases, one works, one failed. Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log, you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101 129.219.10.10:80 in via dc2"). but the proxy server on test2 seems did not get the forwarded packet. Worked case: from test1, "telnet test2 80", it just works. The proxy server got the packet, and send redirection message to test1: " > HTTP/1.1 302 Moved > Date: Thu, 27 Dec 2001 00:53:18 PST > Location: https://216.69.69.254/cgi-bin/login > 0 > > > Connection closed by foreign host. " My guess is: The proxy socket server can only listen to packet's dst ip address that matches its own ip address. The proxy server is written by myself, it's java socket server, when it receive any packet at port 8800, it sends back some http redirection information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 10:16: 0 2001 Delivered-To: freebsd-net@freebsd.org Received: from prism.flugsvamp.com (66-188-92-95.mad.wi.charter.com [66.188.92.95]) by hub.freebsd.org (Postfix) with ESMTP id B753B37B41C for ; Thu, 27 Dec 2001 10:15:57 -0800 (PST) Received: (from jlemon@localhost) by prism.flugsvamp.com (8.11.6/8.11.6) id fBRIFEX02892; Thu, 27 Dec 2001 12:15:14 -0600 (CST) (envelope-from jlemon) Date: Thu, 27 Dec 2001 12:15:14 -0600 (CST) From: Jonathan Lemon Message-Id: <200112271815.fBRIFEX02892@prism.flugsvamp.com> To: pr@isprime.com, net@freebsd.org Subject: Re: FXP Bundling on a STL2 X-Newsgroups: local.mail.freebsd-net In-Reply-To: Organization: Cc: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article you write: >I noticed that the FXP built in to my STL2 motherboards seem to get have no >difference on 4.5-PRERELEASE wether bundling is on or off, but an external >FXP PCI card does begin to have a difference when receiving ~1000 pps (about >half the interrupts). >Does the STL2 FXP not support bundling? Check /var/log/messages. If there is a line that says "Microcode loaded...", then the board is successfully running the new microcode, otherwise your variant is not supported. (either no ucode, or hardware doesn't support it) -- Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 11:28:11 2001 Delivered-To: freebsd-net@freebsd.org Received: from acura.isprime.com (acura.isprime.com [130.94.138.66]) by hub.freebsd.org (Postfix) with ESMTP id 7BBFC37B405 for ; Thu, 27 Dec 2001 11:28:06 -0800 (PST) Received: from winter (localhost [127.0.0.1]) by acura.isprime.com (8.11.3/8.11.2) with SMTP id fBRJS4D21539; Thu, 27 Dec 2001 14:28:04 -0500 (EST) Message-ID: <000801c18f0c$41ef0ed0$6701a8c0@winter> From: "Phil Rosenthal" To: "Jonathan Lemon" , References: <200112271815.fBRIFEX02892@prism.flugsvamp.com> Subject: Re: FXP Bundling on a STL2 Date: Thu, 27 Dec 2001 14:25:34 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "Phil Rosenthal" X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org dmesg says: fxp0: Microcode loaded, int_delay: 1000 usec bundle_max: 6 fxp1: Microcode loaded, int_delay: 1000 usec bundle_max: 6 But it only appears to do anything on the fxp1 (the external one) From systat -vm: ~3000 interrupts ~500 interrupts from netstat -I fxp0 -in 1: input ~3000 packets per second from netstat -I fxp1 -in 1: input ~1700 packets per second --Phil ----- Original Message ----- From: "Jonathan Lemon" To: ; Sent: Thursday, December 27, 2001 1:15 PM Subject: Re: FXP Bundling on a STL2 > In article you write: > >I noticed that the FXP built in to my STL2 motherboards seem to get have no > >difference on 4.5-PRERELEASE wether bundling is on or off, but an external > >FXP PCI card does begin to have a difference when receiving ~1000 pps (about > >half the interrupts). > >Does the STL2 FXP not support bundling? > > Check /var/log/messages. If there is a line that says "Microcode loaded...", > then the board is successfully running the new microcode, otherwise your > variant is not supported. (either no ucode, or hardware doesn't support it) > -- > Jonathan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 11:40:56 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 97FDB37B417 for ; Thu, 27 Dec 2001 11:40:11 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011227194011.DOJB6450.rwcrmhc52.attbi.com@InterJet.elischer.org>; Thu, 27 Dec 2001 19:40:11 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id LAA88689; Thu, 27 Dec 2001 11:31:23 -0800 (PST) Date: Thu, 27 Dec 2001 11:31:22 -0800 (PST) From: Julian Elischer To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Dec 2001, Henry Su wrote: > Thanks a lot Julian. Please let me know if u need more info. > > > My goal is using test2 as authentication server, when http request pass > through test2 box, test2 will redirect to an authentication url on itself. > > _________ ___________________ > | |crossover cable | | > |test1 |---------------->|test2(ipfw,proxy) |----->router->Internet > |_________| |__________________| X.1.1.3 X.1.1.2 > > > test2 has ipfw and a proxy server for redirection, it is configured as a > bridge, one interface has ip address, one interface does not, which test1 is > connected to. Assume dc1 on the router side of test2 and dc2 on the crossover side of test2 is the router doing nat? is X.x.x.x. a routable address? I presume that X.1.1.3 AND X.1.1.2 are on the same logical net. Are they both routable addresses? firstly, bridging is a new factor. you didn't mention that before.. I am not sure how bridging will interract with everything else. What does netstat -aA show on test2? Is the server bound to an address? i.e. do you bind() the server to a particular address? if so which? Why are you bridging? do you want people on test1 to authenticate, or people coming in from the internet? (you need to specify what you want to redirect..) > > > The rule for forwarding is: > > #Forward no valid http packet to local authentication > ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80 > > > > For example, here's 2 cases, one works, one failed. > > Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log, > you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel: > ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101 > 129.219.10.10:80 in via dc2"). > but the proxy server on test2 seems did not get the forwarded packet. > > Worked case: from test1, "telnet test2 80", it just works. The proxy server > got the packet, and send redirection message to test1: " I wonder if someone has broken fwd? if you do the following: on test2, telnet localhost 80 and telnet www.freebsd.org 80 what happens? > > My guess is: > > The proxy socket server can only listen to packet's dst ip address that > matches its own ip address. The proxy server is written by myself, it's java > socket server, when it receive any packet at port 8800, it sends back some > http redirection > information. > No the address that the server will be matched against is the address in the fwd rule, and not the address in the packet. roughly it does: tempaddr = address_from_packet if (ipfw matches a fwd rule) tempaddr = address_in_rule find socket that matches tempaddr. It could be that the bridging is somehow confusing the forwarding.. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 16:21: 5 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id 110E937B416 for ; Thu, 27 Dec 2001 16:20:59 -0800 (PST) Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10]) by ns1.nttmcl.com (Postfix) with ESMTP id B5846DE541; Thu, 27 Dec 2001 16:20:58 -0800 (PST) Date: Thu, 27 Dec 2001 16:20:58 -0800 (PST) From: Henry Su To: Julian Elischer Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ************** Henry Su * NTT MCL * ************** On Thu, 27 Dec 2001, Julian Elischer wrote: > > > > > On Thu, 27 Dec 2001, Henry Su wrote: > > > Thanks a lot Julian. Please let me know if u need more info. > > > > > > My goal is using test2 as authentication server, when http request pass > > through test2 box, test2 will redirect to an authentication url on itself. > > > > _________ ___________________ > > | |crossover cable | | > > |test1 |---------------->|test2(ipfw,proxy) |----->router->Internet > > |_________| |__________________| > X.1.1.3 X.1.1.2 > > > > > > > > test2 has ipfw and a proxy server for redirection, it is configured as a > > bridge, one interface has ip address, one interface does not, which test1 is > > connected to. > > Assume dc1 on the router side of test2 > and dc2 on the crossover side of test2 That's good one. > is the router doing nat? No. > is X.x.x.x. a routable address? Yes > I presume that X.1.1.3 AND X.1.1.2 are on the same logical net. > Are they both routable addresses? > Yes > firstly, bridging is a new factor. you didn't mention that before.. > I am not sure how bridging will interract with everything else. > > What does netstat -aA show on test2? Is the server bound to an address? > i.e. do you bind() the server to a particular address? > if so which? > > Why are you bridging? > Because gateway needs ip on each interface, we do not want to do that. We want only assign 1 ip on test2. > do you want people on test1 to authenticate, or people coming in from the > internet? (you need to specify what you want to redirect..) > people on test1. Assume test2 is access control server, test is a client that want to get access. > > > > > > > The rule for forwarding is: > > > > #Forward no valid http packet to local authentication > > ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80 > > > > > > > > For example, here's 2 cases, one works, one failed. > > > > Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log, > > you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel: > > ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101 > > 129.219.10.10:80 in via dc2"). > > but the proxy server on test2 seems did not get the forwarded packet. > > > > Worked case: from test1, "telnet test2 80", it just works. The proxy server > > got the packet, and send redirection message to test1: " > > I wonder if someone has broken fwd? > if you do the following: > on test2, telnet localhost 80 > and > telnet www.freebsd.org 80 > > what happens? > [16:14:38][root@test2:~]$ telnet localhost 80 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host [16:14:41][root@test2:~]$ telnet www.freebsd.org 80 Trying 216.136.204.21... Connected to freefall.freebsd.org. Escape character is '^]'. 123 501 Method Not Implemented

Method Not Implemented

123 to /index.html not supported.

Invalid method in request 123

Apache/1.3.x Gualala Server at www.freebsd.org Port 80
Connection closed by foreign host. > > > > My guess is: > > > > The proxy socket server can only listen to packet's dst ip address that > > matches its own ip address. The proxy server is written by myself, it's java > > socket server, when it receive any packet at port 8800, it sends back some > > http redirection > > information. > > > > No the address that the server will be matched against is the > address in the fwd rule, and not the address in the packet. > > roughly it does: > > tempaddr = address_from_packet > if (ipfw matches a fwd rule) > tempaddr = address_in_rule > find socket that matches tempaddr. > > It could be that the bridging is somehow confusing the forwarding.. > That's right. Does a socket server care about a packet's dst ip? If a packet's dst ip is not matched, the proxy server will drop it? Thanks. > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 17:19:36 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id 54D6637B417 for ; Thu, 27 Dec 2001 17:19:34 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id 138B3DE541; Thu, 27 Dec 2001 17:19:34 -0800 (PST) Reply-To: From: "Henry Su" To: "Julian Elischer" Cc: Subject: RE: socket call in the kernel Date: Thu, 27 Dec 2001 17:22:07 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Julian: Here's all the rules that I am using: [17:13:59][root@test2:~]$ ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 allow udp from 0.0.0.0 2054 to 0.0.0.0 00500 1159 71707 allow ip from any to 216.69.69.254 00600 946 72546 allow ip from 216.69.69.254 to any 00700 0 0 allow udp from any 67 to any 68 00800 16 4416 allow udp from any 68 to any 67 00900 20 1229 allow udp from any to 216.69.68.197 53 00910 20 4695 allow udp from 216.69.68.197 53 to any 65533 39 2034 fwd 127.0.0.1,8800 log logamount 100 tcp from any to any 80 65535 393 35800 deny ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 17:39:45 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id 7D7CF37B405 for ; Thu, 27 Dec 2001 17:39:42 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id 49046DE541; Thu, 27 Dec 2001 17:39:42 -0800 (PST) Reply-To: From: "Henry Su" To: "Julian Elischer" Cc: Subject: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? Date: Thu, 27 Dec 2001 17:42:16 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://www.unixguide.net/freebsd/faq/09.20.shtml Is there a way to configure your machine not drop these packets? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 17:40:13 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 110A937B416 for ; Thu, 27 Dec 2001 17:40:09 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011228014008.QXWL6450.rwcrmhc52.attbi.com@InterJet.elischer.org>; Fri, 28 Dec 2001 01:40:08 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id RAA90397; Thu, 27 Dec 2001 17:30:49 -0800 (PST) Date: Thu, 27 Dec 2001 17:30:48 -0800 (PST) From: Julian Elischer To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org put the forward rule as rule 50 and see what happens. On Thu, 27 Dec 2001, Henry Su wrote: > Hi, Julian: > > > Here's all the rules that I am using: > > [17:13:59][root@test2:~]$ ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 allow udp from 0.0.0.0 2054 to 0.0.0.0 > 00500 1159 71707 allow ip from any to 216.69.69.254 > 00600 946 72546 allow ip from 216.69.69.254 to any > 00700 0 0 allow udp from any 67 to any 68 > 00800 16 4416 allow udp from any 68 to any 67 > 00900 20 1229 allow udp from any to 216.69.68.197 53 > 00910 20 4695 allow udp from 216.69.68.197 53 to any > 65533 39 2034 fwd 127.0.0.1,8800 log logamount 100 tcp from any to any 80 > 65535 393 35800 deny ip from any to any > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 18:22:25 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id F230C37B41A for ; Thu, 27 Dec 2001 18:22:22 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id BDD2DDE547; Thu, 27 Dec 2001 18:22:22 -0800 (PST) Reply-To: From: "Henry Su" To: "Julian Elischer" Cc: Subject: RE: socket call in the kernel Date: Thu, 27 Dec 2001 18:24:56 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Same thing, it only works for telneting to test2:80 for test1. -----Original Message----- From: Julian Elischer [mailto:julian@elischer.org] Sent: Thursday, December 27, 2001 5:31 PM To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel put the forward rule as rule 50 and see what happens. On Thu, 27 Dec 2001, Henry Su wrote: > Hi, Julian: > > > Here's all the rules that I am using: > > [17:13:59][root@test2:~]$ ipfw show > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00400 0 0 allow udp from 0.0.0.0 2054 to 0.0.0.0 > 00500 1159 71707 allow ip from any to 216.69.69.254 > 00600 946 72546 allow ip from 216.69.69.254 to any > 00700 0 0 allow udp from any 67 to any 68 > 00800 16 4416 allow udp from any 68 to any 67 > 00900 20 1229 allow udp from any to 216.69.68.197 53 > 00910 20 4695 allow udp from 216.69.68.197 53 to any > 65533 39 2034 fwd 127.0.0.1,8800 log logamount 100 tcp from any to any 80 > 65535 393 35800 deny ip from any to any > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 20: 0:10 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 0CF4E37B405 for ; Thu, 27 Dec 2001 20:00:08 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011228040007.BZXM1920.rwcrmhc51.attbi.com@InterJet.elischer.org>; Fri, 28 Dec 2001 04:00:07 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id TAA90832; Thu, 27 Dec 2001 19:43:08 -0800 (PST) Date: Thu, 27 Dec 2001 19:43:07 -0800 (PST) From: Julian Elischer To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a patch that fixes that On Thu, 27 Dec 2001, Henry Su wrote: > > http://www.unixguide.net/freebsd/faq/09.20.shtml > > Is there a way to configure your machine not drop these packets? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 20:26:39 2001 Delivered-To: freebsd-net@freebsd.org Received: from docomolabs-usa.com (fridge.docomo-usa.com [216.98.102.228]) by hub.freebsd.org (Postfix) with ESMTP id 053F837B405 for ; Thu, 27 Dec 2001 20:26:38 -0800 (PST) Received: from bud (dhcp102.docomo-usa.com [172.21.96.102]) by docomolabs-usa.com (8.11.3/8.11.3) with SMTP id fBS4QWS02003; Thu, 27 Dec 2001 20:26:32 -0800 (PST) Message-ID: <000e01c18f58$99daec80$666015ac@bud> From: "Guangrui Fu" To: , References: Subject: dummynet for IPv6? Date: Thu, 27 Dec 2001 20:32:03 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, Is there any implementation for ipv6 based dummynet? Another related question, I'm using dummynet for bandwidth control. I want the bandwidth control can be applied to all ethernet packets(ip/icmp v4/v6). If dummynet is ipv6-unawareness, how can I achieve this? Could anyone please give some suggestion? Regards, G. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Thu Dec 27 23:19:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from scaup.prod.itd.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id 2443737B416 for ; Thu, 27 Dec 2001 23:19:31 -0800 (PST) Received: from dialup-209.247.139.181.dial1.sanjose1.level3.net ([209.247.139.181] helo=blossom.cjclark.org) by scaup.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16JrIf-0002me-00; Thu, 27 Dec 2001 23:19:30 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBS7JMF08775; Thu, 27 Dec 2001 23:19:22 -0800 (PST) (envelope-from cjc) Date: Thu, 27 Dec 2001 23:19:22 -0800 From: "Crist J . Clark" To: Henry Su Cc: Julian Elischer , freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? Message-ID: <20011227231922.N2090@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from henrysu@nttmcl.com on Thu, Dec 27, 2001 at 05:42:16PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Dec 27, 2001 at 05:42:16PM -0800, Henry Su wrote: > > http://www.unixguide.net/freebsd/faq/09.20.shtml > > Is there a way to configure your machine not drop these packets? I wrote that FAQ entry for people directing packets to another machine. When you are forwarding the packets to 127.0.0.1, the local machine, it is not an issue. The packets will be "accepted" by the system. (But that doesn't mean the application will behave well.) -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 6:22:46 2001 Delivered-To: freebsd-net@freebsd.org Received: from tao.org.uk (genius.tao.org.uk [212.135.162.51]) by hub.freebsd.org (Postfix) with ESMTP id 845B437B41A; Fri, 28 Dec 2001 06:22:38 -0800 (PST) Received: by tao.org.uk (Postfix, from userid 100) id D97085A0; Fri, 28 Dec 2001 13:30:44 +0000 (GMT) Date: Fri, 28 Dec 2001 13:30:44 +0000 From: Josef Karthauser To: Ruslan Ermilov Cc: Yusuf Goolamabbas , freebsd-net@freebsd.org Subject: Re: Is there a way to clear stats from netstat -i Message-ID: <20011228133044.C485@tao.org.uk> References: <20011211123504.A5909@outblaze.com> <20011219182139.A9340@tao.org.uk> <20011220151038.G6625@sunbay.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Pk6IbRAofICFmK5e" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011220151038.G6625@sunbay.com>; from ru@freebsd.org on Thu, Dec 20, 2001 at 03:10:38PM +0200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Pk6IbRAofICFmK5e Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 20, 2001 at 03:10:38PM +0200, Ruslan Ermilov wrote: > On Wed, Dec 19, 2001 at 06:21:39PM +0000, Josef Karthauser wrote: > > Hi Ruslan, > >=20 > > You've been near this code recently. Do you have any suggestions for > > how this may work? > >=20 > This would require a new SIOCCIFDATA ioctl in group 'i'. What's group 'i'? Joe --Pk6IbRAofICFmK5e Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjwsdAQACgkQXVIcjOaxUBZ96wCgz3ZGF4Z3WF7bBGBEpAALumu8 F5cAoOBB4xDGGgaXU2OpNq7rDe2hWGJS =zIIg -----END PGP SIGNATURE----- --Pk6IbRAofICFmK5e-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 11:52:20 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id A551937B41A; Fri, 28 Dec 2001 11:52:14 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id 6A2A6DE541; Fri, 28 Dec 2001 11:52:14 -0800 (PST) Reply-To: From: "Henry Su" To: "Crist J . Clark" Cc: "Julian Elischer" , Subject: RE: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? Date: Fri, 28 Dec 2001 11:54:50 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <20011227231922.N2090@blossom.cjclark.org> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I tried localhost, it is an issue for me. It's 4.3 freebSD. Is this a bug? -----Original Message----- From: Crist J . Clark [mailto:cjc@FreeBSD.ORG] Sent: Thursday, December 27, 2001 11:19 PM To: Henry Su Cc: Julian Elischer; freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? On Thu, Dec 27, 2001 at 05:42:16PM -0800, Henry Su wrote: > > http://www.unixguide.net/freebsd/faq/09.20.shtml > > Is there a way to configure your machine not drop these packets? I wrote that FAQ entry for people directing packets to another machine. When you are forwarding the packets to 127.0.0.1, the local machine, it is not an issue. The packets will be "accepted" by the system. (But that doesn't mean the application will behave well.) -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 13:40:16 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 5C54337B41B; Fri, 28 Dec 2001 13:40:14 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011228214014.MZND6450.rwcrmhc52.attbi.com@InterJet.elischer.org>; Fri, 28 Dec 2001 21:40:14 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id NAA94627; Fri, 28 Dec 2001 13:31:08 -0800 (PST) Date: Fri, 28 Dec 2001 13:31:07 -0800 (PST) From: Julian Elischer To: "Crist J . Clark" Cc: Henry Su , freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? In-Reply-To: <20011227231922.N2090@blossom.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You need to correct the FAQ.. "The correct way to ensure that this does not happen is to also add a 'fwd' rule on the destination rule, forwarding the packet to localhost. This will override the destination machine's tendancy to throw the forwarded packet back" Also, in versions of FreeBSD before 4.6, packets matched while INCOMING could only be forwarded to the local host. Outgoing packets could be forwarded to an adjoining host. This was fixed while 4.5 was cooking and appeared in releases after that. The port number is only used for forwarding to the local host. On Thu, 27 Dec 2001, Crist J . Clark wrote: > On Thu, Dec 27, 2001 at 05:42:16PM -0800, Henry Su wrote: > > > > http://www.unixguide.net/freebsd/faq/09.20.shtml > > > > Is there a way to configure your machine not drop these packets? > > I wrote that FAQ entry for people directing packets to another > machine. When you are forwarding the packets to 127.0.0.1, the local > machine, it is not an issue. The packets will be "accepted" by the > system. (But that doesn't mean the application will behave well.) > -- > "It's always funny until someone gets hurt. Then it's hilarious." > > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 13:59:10 2001 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 3A05537B41E; Fri, 28 Dec 2001 13:59:07 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id fBSLws610416; Fri, 28 Dec 2001 15:58:54 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 28 Dec 2001 15:58:54 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Julian Elischer Cc: "Crist J . Clark" , Henry Su , freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Dec 2001, Julian Elischer wrote: > Also, in versions of FreeBSD before 4.6, packets matched while > INCOMING could only be forwarded to the local host. Outgoing packets > could be forwarded to an adjoining host. This was fixed while 4.5 was > cooking and appeared in releases after that. The port number is only > used for forwarding to the local host. Um, so you can now fwd based on incoming packets? EX: ipfw fwd 10.1.2.3 ip from any to 1.1.1.1 in via ed0 Or is it still the way it is stated in the ipfw man page? EX: ipfw fwd 10.1.2.3 ip from any to 1.1.1.1 out recv ed0 xmit xl0 Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 14:20:15 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 65ADF37B41A; Fri, 28 Dec 2001 14:20:11 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011228222010.OAPH6450.rwcrmhc52.attbi.com@InterJet.elischer.org>; Fri, 28 Dec 2001 22:20:10 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id OAA94796; Fri, 28 Dec 2001 14:11:07 -0800 (PST) Date: Fri, 28 Dec 2001 14:11:06 -0800 (PST) From: Julian Elischer To: Nick Rogness Cc: "Crist J . Clark" , Henry Su , freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Dec 2001, Nick Rogness wrote: > On Fri, 28 Dec 2001, Julian Elischer wrote: > > > Also, in versions of FreeBSD before 4.6, packets matched while > > INCOMING could only be forwarded to the local host. Outgoing packets > > could be forwarded to an adjoining host. This was fixed while 4.5 was > > cooking and appeared in releases after that. The port number is only > > used for forwarding to the local host. > > Um, so you can now fwd based on incoming packets? EX: > > ipfw fwd 10.1.2.3 ip from any to 1.1.1.1 in via ed0 That will now work in -current and will in 4.x when I MFC it.. I looked in the man page and didn't see this mentionned I'l read it better again and fix it if it's now Out of date. Hmm I still can't find that example.. AHHHH found it.... will fix by removing "and the rule only applies to packets leaving the system" is that what you are refering to? > > Or is it still the way it is stated in the ipfw man page? EX: > > ipfw fwd 10.1.2.3 ip from any to 1.1.1.1 out recv ed0 xmit xl0 That will still work... > > > Nick Rogness > - Don't mind me...I'm just sniffing your packets > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 15:15:16 2001 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id AF97637B423; Fri, 28 Dec 2001 15:15:12 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id fBSNF8U11442; Fri, 28 Dec 2001 17:15:08 -0600 (CST) (envelope-from nick@rogness.net) Date: Fri, 28 Dec 2001 17:15:08 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Julian Elischer Cc: "Crist J . Clark" , Henry Su , freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Dec 2001, Julian Elischer wrote: > > > On Fri, 28 Dec 2001, Nick Rogness wrote: > > > On Fri, 28 Dec 2001, Julian Elischer wrote: > > > > > > > Um, so you can now fwd based on incoming packets? EX: > > > > ipfw fwd 10.1.2.3 ip from any to 1.1.1.1 in via ed0 > > That will now work in -current and will in 4.x when I MFC it.. I > looked in the man page and didn't see this mentionned I'l read it > better again and fix it if it's now Out of date. > > Hmm I still can't find that example.. > AHHHH found it.... > will fix by removing > "and the rule only applies to packets leaving the system" > > is that what you are refering to? Yes sir...thanks and God Bless you for the effort ;-) Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 16:12:50 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id B93E337B420 for ; Fri, 28 Dec 2001 16:12:19 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id 93694DE541; Fri, 28 Dec 2001 16:12:19 -0800 (PST) Reply-To: From: "Henry Su" To: "Julian Elischer" Cc: Subject: RE: socket call in the kernel Date: Fri, 28 Dec 2001 16:14:55 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Julian: Could you please give me some code example for using the 'ksocket' node to open 'in kernel' sockets? Thanks. -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer Sent: Thursday, December 20, 2001 3:08 PM To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel I have two answers: 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] to make the packet that is denied go to a default server listenning on port 8001 2/ there is an in-kernel webserver built using netgraph but it's not public, but Hyou can definitly use the 'ksocket' node to open 'in kernel' sockets and pass the result to an arbitrary node. 1 can do what you want with no kernel programming.. check it out.. man ipfw On Thu, 20 Dec 2001, Henry Su wrote: > Thanks, Julian and Alfred. > > I am trying to redirect the denied http request to a default web site. So my > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when it > will drop the packet. But as you pointed out in earlier email, socket can > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > * Finally, drop the packet. > */ > > > /* my code start debug */ > /* find if it's a http packet */ > dst_port_h = ntohs(dst_port); > if(dst_port_h==80){ > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d dst_ip:%u", > ntohs(src_port), src_ip.s_addr, nt > ohs(dst_port), dst_ip.s_addr); > /*s = 1;*/ > s = socket(AF_INET, SOCK_STREAM, 0); > if (s < 0) { > log(LOG_INFO,"Redirect socket can not be created"); > }else{ > log(LOG_INFO,"Redirect socket is created"); > /* > bzero(&sa, sizeof sa); > sa.sin_family = AF_INET; > sa.sin_port = src_port; > sa.sin_addr.s_addr = src_ip.s_addr; > if (connect(s, (struct sockaddr *)&sa, sizeof sa) < > 0) { > log(LOG_INFO,"connect %d failed", > src_ip.s_addr); > close(s); > }else{ > log(LOG_INFO,"connect %d ok", > src_ip.s_addr); > close(s); > } > */ > /* > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > write(1, buffer, bytes); > */ > } > } > /* end debug */ > return(IP_FW_PORT_DENY_FLAG); > > > -----Original Message----- > From: Julian Elischer [mailto:julian@elischer.org] > Sent: Thursday, December 20, 2001 12:59 PM > To: Henry Su > Cc: freebsd-net@FreeBSD.ORG > Subject: Re: socket call in the kernel > > > > > You cannot do a socket directly but you can indirectly > tell me what you are trying to do and I can help.. > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to add > a > > socket call in the code, it can be compiled, but when it runs into the > code, > > it just crashed. It gave me the "Fatal trap error 12", Memory address is > > wrong. > > > > Can any one tell me if socket call can be used in kernel level? If not, > how > > can I accomplish socket communication in the kernel level? > > > > Thanks. > > > > ------------------------------------------------ > > > > Henry Su > > > > NTT Multimedia Communications Laboratories, Inc. > > > > 250 Cambridge Avenue Suite 300 > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > Tel: +1 650 833 3652 > > > > Fax: +1 650 326 1878 > > > > http://www.nttmcl.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 17: 0:52 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 1135737B421 for ; Fri, 28 Dec 2001 17:00:25 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011229010024.ZAAX1920.rwcrmhc51.attbi.com@InterJet.elischer.org>; Sat, 29 Dec 2001 01:00:24 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id QAA95512; Fri, 28 Dec 2001 16:59:06 -0800 (PST) Date: Fri, 28 Dec 2001 16:59:06 -0800 (PST) From: Julian Elischer To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, you'll find an example of using a ksocket node in /usr/share/examples/netgraph and of course /sys/netgraph/ng_ksocket.c has the actual code that does that if you wanted to duplicate it in your own module. Why do you want to do bridging? if yuo used a NAT and routed it would be a lot more standard.. On Fri, 28 Dec 2001, Henry Su wrote: > Hi, Julian: > > Could you please give me some code example for using the 'ksocket' node to > open 'in kernel' > sockets? Thanks. > > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > Sent: Thursday, December 20, 2001 3:08 PM > To: Henry Su > Cc: freebsd-net@FreeBSD.ORG > Subject: RE: socket call in the kernel > > > > > I have two answers: > > 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] > to make the packet that is denied go to a default server listenning on > port 8001 > > 2/ there is an in-kernel webserver built using netgraph but it's not > public, but Hyou can definitly use the 'ksocket' node to open 'in kernel' > sockets and pass the result to an arbitrary node. > > > 1 can do what you want with no kernel programming.. > check it out.. > > man ipfw > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > Thanks, Julian and Alfred. > > > > I am trying to redirect the denied http request to a default web site. So > my > > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when > it > > will drop the packet. But as you pointed out in earlier email, socket can > > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > > > > > * Finally, drop the packet. > > */ > > > > > > /* my code start debug */ > > /* find if it's a http packet */ > > dst_port_h = ntohs(dst_port); > > if(dst_port_h==80){ > > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d > dst_ip:%u", > > ntohs(src_port), src_ip.s_addr, nt > > ohs(dst_port), dst_ip.s_addr); > > /*s = 1;*/ > > s = socket(AF_INET, SOCK_STREAM, 0); > > if (s < 0) { > > log(LOG_INFO,"Redirect socket can not be > created"); > > }else{ > > log(LOG_INFO,"Redirect socket is created"); > > /* > > bzero(&sa, sizeof sa); > > sa.sin_family = AF_INET; > > sa.sin_port = src_port; > > sa.sin_addr.s_addr = src_ip.s_addr; > > if (connect(s, (struct sockaddr *)&sa, sizeof sa) > < > > 0) { > > log(LOG_INFO,"connect %d failed", > > src_ip.s_addr); > > close(s); > > }else{ > > log(LOG_INFO,"connect %d ok", > > src_ip.s_addr); > > close(s); > > } > > */ > > /* > > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > > write(1, buffer, bytes); > > */ > > } > > } > > /* end debug */ > > return(IP_FW_PORT_DENY_FLAG); > > > > > > -----Original Message----- > > From: Julian Elischer [mailto:julian@elischer.org] > > Sent: Thursday, December 20, 2001 12:59 PM > > To: Henry Su > > Cc: freebsd-net@FreeBSD.ORG > > Subject: Re: socket call in the kernel > > > > > > > > > > You cannot do a socket directly but you can indirectly > > tell me what you are trying to do and I can help.. > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to > add > > a > > > socket call in the code, it can be compiled, but when it runs into the > > code, > > > it just crashed. It gave me the "Fatal trap error 12", Memory address is > > > wrong. > > > > > > Can any one tell me if socket call can be used in kernel level? If not, > > how > > > can I accomplish socket communication in the kernel level? > > > > > > Thanks. > > > > > > ------------------------------------------------ > > > > > > Henry Su > > > > > > NTT Multimedia Communications Laboratories, Inc. > > > > > > 250 Cambridge Avenue Suite 300 > > > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > > > Tel: +1 650 833 3652 > > > > > > Fax: +1 650 326 1878 > > > > > > http://www.nttmcl.com/ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 17:12:17 2001 Delivered-To: freebsd-net@freebsd.org Received: from ns1.nttmcl.com (ns1.nttmcl.com [216.69.68.197]) by hub.freebsd.org (Postfix) with ESMTP id 7B84C37B41E for ; Fri, 28 Dec 2001 17:12:10 -0800 (PST) Received: from hsu (dhcp252.nttmcl.com [216.69.69.252]) by ns1.nttmcl.com (Postfix) with SMTP id 6080FDE541; Fri, 28 Dec 2001 17:12:10 -0800 (PST) Reply-To: From: "Henry Su" To: "Julian Elischer" Cc: Subject: RE: socket call in the kernel Date: Fri, 28 Dec 2001 17:14:46 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The problem is that we do not use NAT, since all the machines will have real IP address, and we do not want to assign 2nd IP address on the control box too. Is there any configuration allow you to do this without bridging? __________ ___________________ | |crossover cable | | |test1 |---------------->| test2(ipfw,proxy)|-->router->Internet |_________| |__________________| -----Original Message----- From: Julian Elischer [mailto:julian@elischer.org] Sent: Friday, December 28, 2001 4:59 PM To: Henry Su Cc: freebsd-net@FreeBSD.ORG Subject: RE: socket call in the kernel Well, you'll find an example of using a ksocket node in /usr/share/examples/netgraph and of course /sys/netgraph/ng_ksocket.c has the actual code that does that if you wanted to duplicate it in your own module. Why do you want to do bridging? if yuo used a NAT and routed it would be a lot more standard.. On Fri, 28 Dec 2001, Henry Su wrote: > Hi, Julian: > > Could you please give me some code example for using the 'ksocket' node to > open 'in kernel' > sockets? Thanks. > > -----Original Message----- > From: owner-freebsd-net@FreeBSD.ORG > [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Julian Elischer > Sent: Thursday, December 20, 2001 3:08 PM > To: Henry Su > Cc: freebsd-net@FreeBSD.ORG > Subject: RE: socket call in the kernel > > > > > I have two answers: > > 1/ Use ipfw add NNN fwd localhost,8001 [deny criteria] > to make the packet that is denied go to a default server listenning on > port 8001 > > 2/ there is an in-kernel webserver built using netgraph but it's not > public, but Hyou can definitly use the 'ksocket' node to open 'in kernel' > sockets and pass the result to an arbitrary node. > > > 1 can do what you want with no kernel programming.. > check it out.. > > man ipfw > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > Thanks, Julian and Alfred. > > > > I am trying to redirect the denied http request to a default web site. So > my > > idea is in the "ip_fw_chk" function of ip_fw.c, add following code, when > it > > will drop the packet. But as you pointed out in earlier email, socket can > > not be used in this case. Do u have any other solutions? Thanks a lot. > > > > > > > > * Finally, drop the packet. > > */ > > > > > > /* my code start debug */ > > /* find if it's a http packet */ > > dst_port_h = ntohs(dst_port); > > if(dst_port_h==80){ > > log(LOG_INFO,"src_port:%u src_ip:%d dst_port:%d > dst_ip:%u", > > ntohs(src_port), src_ip.s_addr, nt > > ohs(dst_port), dst_ip.s_addr); > > /*s = 1;*/ > > s = socket(AF_INET, SOCK_STREAM, 0); > > if (s < 0) { > > log(LOG_INFO,"Redirect socket can not be > created"); > > }else{ > > log(LOG_INFO,"Redirect socket is created"); > > /* > > bzero(&sa, sizeof sa); > > sa.sin_family = AF_INET; > > sa.sin_port = src_port; > > sa.sin_addr.s_addr = src_ip.s_addr; > > if (connect(s, (struct sockaddr *)&sa, sizeof sa) > < > > 0) { > > log(LOG_INFO,"connect %d failed", > > src_ip.s_addr); > > close(s); > > }else{ > > log(LOG_INFO,"connect %d ok", > > src_ip.s_addr); > > close(s); > > } > > */ > > /* > > while ((bytes = read(s, buffer, BUFSIZ)) > 0) > > write(1, buffer, bytes); > > */ > > } > > } > > /* end debug */ > > return(IP_FW_PORT_DENY_FLAG); > > > > > > -----Original Message----- > > From: Julian Elischer [mailto:julian@elischer.org] > > Sent: Thursday, December 20, 2001 12:59 PM > > To: Henry Su > > Cc: freebsd-net@FreeBSD.ORG > > Subject: Re: socket call in the kernel > > > > > > > > > > You cannot do a socket directly but you can indirectly > > tell me what you are trying to do and I can help.. > > > > > > > > On Thu, 20 Dec 2001, Henry Su wrote: > > > > > I am trying to modify ip_fw.c in the /usr/src/sys/netinet, I tried to > add > > a > > > socket call in the code, it can be compiled, but when it runs into the > > code, > > > it just crashed. It gave me the "Fatal trap error 12", Memory address is > > > wrong. > > > > > > Can any one tell me if socket call can be used in kernel level? If not, > > how > > > can I accomplish socket communication in the kernel level? > > > > > > Thanks. > > > > > > ------------------------------------------------ > > > > > > Henry Su > > > > > > NTT Multimedia Communications Laboratories, Inc. > > > > > > 250 Cambridge Avenue Suite 300 > > > > > > Palo Alto, CA 94306, USA (PST:UTC -8H) > > > > > > Tel: +1 650 833 3652 > > > > > > Fax: +1 650 326 1878 > > > > > > http://www.nttmcl.com/ > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-net" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 18:45:25 2001 Delivered-To: freebsd-net@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id A5AA437B41A for ; Fri, 28 Dec 2001 18:45:22 -0800 (PST) Received: from dialup-209.245.140.30.dial1.sanjose1.level3.net ([209.245.140.30] helo=blossom.cjclark.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16K9Uu-0000EJ-00; Fri, 28 Dec 2001 18:45:21 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fBT2jGk94899; Fri, 28 Dec 2001 18:45:16 -0800 (PST) (envelope-from cjc) Date: Fri, 28 Dec 2001 18:45:16 -0800 From: "Crist J . Clark" To: Julian Elischer Cc: Henry Su , freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? Message-ID: <20011228184516.B93411@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011227231922.N2090@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from julian@elischer.org on Fri, Dec 28, 2001 at 01:31:07PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Dec 28, 2001 at 01:31:07PM -0800, Julian Elischer wrote: > You need to > correct the FAQ.. > > "The correct way to ensure that this does not happen is to also add > a 'fwd' rule on the destination rule, forwarding the packet > to localhost. This will override the destination machine's tendancy > to throw the forwarded packet back" I'm having a hard time parsing that. > Also, in versions of FreeBSD before 4.6, 4.6? > packets matched while INCOMING > could only be forwarded to the local host. Which is what I thought the original poster was doing? > Outgoing packets > could be forwarded to an adjoining host. > This was fixed while 4.5 was cooking and appeared in releases after that. So will this be in 4.5? > The port number is only used for forwarding to the local host. Which is what the original poster was doing? -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Fri Dec 28 18:58:13 2001 Delivered-To: freebsd-net@freebsd.org Received: from ambrisko.com (adsl-64-174-51-42.dsl.snfc21.pacbell.net [64.174.51.42]) by hub.freebsd.org (Postfix) with ESMTP id 6D9EC37B41A for ; Fri, 28 Dec 2001 18:58:11 -0800 (PST) Received: (from ambrisko@localhost) by ambrisko.com (8.11.6/8.11.6) id fBT2uWp83732; Fri, 28 Dec 2001 18:56:32 -0800 (PST) (envelope-from ambrisko) From: Doug Ambrisko Message-Id: <200112290256.fBT2uWp83732@ambrisko.com> Subject: Re: USB ethernet problem In-Reply-To: <20011221115851.A10172@mezcal.tue.le> To: Thomas Zenker Date: Fri, 28 Dec 2001 18:56:32 -0800 (PST) Cc: Mike Silbersack , freebsd-net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL94b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thomas Zenker writes: | the situation changed, I have tried to install the new release now | on the final embedded hardware. It is to mention, that this hardware | is working with fbsd 4.3 from july without any problems in about | 50 equipments. Upgrade from the previous fbsd 4.3 works flawlessly | (4.3 kernel is running during this procedure), however after rebooting | the 4.4 kernel, another upgrade run doesn't terminate: | | usb0: host controller process error | usb0: host controller halted Hmm, I've seen this with my usio driver (USB -> serial adapter using the Anchor chip) and couldn't figure it out. It seems to happen more as machines are sharing interrupts with USB on UHCI controllers. Lots of small packets seem to trigger it more. Doug A. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Dec 29 2: 0:31 2001 Delivered-To: freebsd-net@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 5149B37B41C for ; Sat, 29 Dec 2001 02:00:28 -0800 (PST) Received: from InterJet.elischer.org ([12.232.206.8]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20011229100027.KPXO1920.rwcrmhc51.attbi.com@InterJet.elischer.org>; Sat, 29 Dec 2001 10:00:27 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id BAA97654; Sat, 29 Dec 2001 01:58:19 -0800 (PST) Date: Sat, 29 Dec 2001 01:58:17 -0800 (PST) From: Julian Elischer To: cjclark@alum.mit.edu Cc: Henry Su , freebsd-net@FreeBSD.ORG Subject: Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working? In-Reply-To: <20011228184516.B93411@blossom.cjclark.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Dec 2001, Crist J . Clark wrote: > On Fri, Dec 28, 2001 at 01:31:07PM -0800, Julian Elischer wrote: > > You need to > > correct the FAQ.. > > > > "The correct way to ensure that this does not happen is to also add > > a 'fwd' rule on the destination rule, forwarding the packet > > to localhost. This will override the destination machine's tendancy > > to throw the forwarded packet back" > > I'm having a hard time parsing that. if you send a packet somewhere it is not supposed to go, it will try discard it or forward it, UNLESS it has an ipfw fwd rule that makes it forward it to a local port. So you need a rule at the interception machine and a rule at the destination machine. > > > Also, in versions of FreeBSD before 4.6, > > 4.6? yes, it will miss 4.5 > > > packets matched while INCOMING > > could only be forwarded to the local host. > > Which is what I thought the original poster was doing? > > > Outgoing packets > > could be forwarded to an adjoining host. > > This was fixed while 4.5 was cooking and appeared in releases after that. > > So will this be in 4.5? No > > > The port number is only used for forwarding to the local host. > > Which is what the original poster was doing? > -- > "It's always funny until someone gets hurt. Then it's hilarious." > > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Dec 29 6:28:51 2001 Delivered-To: freebsd-net@freebsd.org Received: from sonic.kks.net (sonic.kks.net [213.161.0.18]) by hub.freebsd.org (Postfix) with ESMTP id 124B237B421 for ; Sat, 29 Dec 2001 06:28:48 -0800 (PST) Received: from voyager.kksonline.com (5-51.ro.cable.kks.net [213.161.5.51]) by sonic.kks.net (Postfix) with ESMTP id D14FF26C for ; Sat, 29 Dec 2001 15:28:53 +0100 (CET) Message-Id: <5.0.2.1.0.20011229152316.02d72548@sundance.kks.net> X-Sender: arozman@sundance.kks.net X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 29 Dec 2001 15:27:28 +0100 To: freebsd-net@freebsd.org From: Aleksander Rozman - Andy Subject: routing sort of In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi People! I am currently working on implementing new protocol (ax.25) on FreeBSD. Now my problem is this. For device (SCC Card) there is no driver on FreebSD yet (I will do that after I finish ax.25)... SO my question is, would it be possible to put this card on another machine (running linux)and then route all packets that will come into card to another computer (freebsd), via com port or another ethernet card. Problem is that I need everything that will come from this card, without being proccesed by linux. Is this possible? And how can it be done? Andy ************************************************************************** * Aleksander Rozman - Andy * Fandoms: E2:EA, SAABer, Trekkie, Earthie * * andy@kksonline.com * Sentinel, BH 90210, True's Trooper, * * andy@atechnet.dhs.org * Heller's Angel, Questie, Legacy, PO5, * * Maribor, Slovenia (Europe) * Profiler, Buffy (Slayerete), Pretender * * ICQ-UIC: 4911125 ********************************************* * PGP key available * http://www.atechnet.dhs.org/~andy/ * ************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Dec 29 8:15:32 2001 Delivered-To: freebsd-net@freebsd.org Received: from quack.kfu.com (quack.kfu.com [205.178.90.194]) by hub.freebsd.org (Postfix) with ESMTP id 6A5BB37B426 for ; Sat, 29 Dec 2001 08:15:27 -0800 (PST) Received: from morpheus.kfu.com (morpheus.kfu.com [3ffe:1200:301b:1:2d0:b7ff:fe3f:bdd0]) by quack.kfu.com (8.11.6/8.11.6) with ESMTP id fBTGFGV18939 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK) for ; Sat, 29 Dec 2001 08:15:22 -0800 (PST) (envelope-from nsayer@quack.kfu.com) Received: from quack.kfu.com (nospam@localhost [::1]) by morpheus.kfu.com (8.11.6/8.11.6) with ESMTP id fBTGFGL01243 for ; Sat, 29 Dec 2001 08:15:16 -0800 (PST) (envelope-from nsayer@quack.kfu.com) Message-ID: <3C2DEC14.1000508@quack.kfu.com> Date: Sat, 29 Dec 2001 08:15:16 -0800 From: Nick Sayer User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20011228 X-Accept-Language: en, en-US, en-GB MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Panic in radix.c Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org First, let me start out by saying that I have hacked in Kame's NATPT functionality into this kernel, so it's entirely possible that is causing this, but I thought I'd ask anyway. Here's a stack trace from this panic: (above this is the trap, savecore and reboot) #17 0xc018b973 in rn_match (v_arg=0xc904326c, head=0xc0f33f80) at ../../net/radix.c:240 #18 0xc0192b96 in in_matroute (v_arg=0xc904326c, head=0xc0f33f80) at ../../netinet/in_rmx.c:151 #19 0xc018cdd6 in rtalloc1 (dst=0xc904326c, report=1, ignflags=0) at ../../net/route.c:135 #20 0xc018cd90 in rtalloc_ign (ro=0xc9043268, ignore=0) at ../../net/route.c:111 #21 0xc018cd39 in rtalloc (ro=0xc9043268) at ../../net/route.c:91 #22 0xc01a2365 in tcp_rtlookup (inp=0xc9043220) at ../../netinet/tcp_subr.c:1349 #23 0xc01a23e6 in tcp_gettaocache (inp=0xc9043220) at ../../netinet/tcp_subr.c:1443 #24 0xc019e464 in tcp_input (m=0xc07b1200, off0=20, proto=6) at ../../netinet/tcp_input.c:1117 #25 0xc0199b6d in ip_input (m=0xc07b1200) at ../../netinet/ip_input.c:862 #26 0xc0193b3a in transmit_event (pipe=0xc0f61200) at ../../netinet/ip_dummynet.c:431 #27 0xc0193d2b in ready_event (q=0xc0f8b180) at ../../netinet/ip_dummynet.c:566 #28 0xc0194b43 in dummynet_io (pipe_nr=1, dir=2, m=0xc07b1200, ifp=0x0, ro=0x0, dst=0x0, rule=0xc0ebd970, flags=0) at ../../netinet/ip_dummynet.c:1137 #29 0xc019972b in ip_input (m=0xc07b1200) at ../../netinet/ip_input.c:465 #30 0xc0199bcb in ipintr () at ../../netinet/ip_input.c:890 net/radix.c line 240 is this: if (t->rn_bmask & cp[t->rn_offset]) The trap was caused by cp being set to NULL. Unfortunately, I can't quite wrap my head around the logic in this routine. The input parameters are not NULL, so cp must have got that way somewhere in the loop. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Dec 29 12:12: 7 2001 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id C83BC37B41A for ; Sat, 29 Dec 2001 12:12:05 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id fBTKBv125019; Sat, 29 Dec 2001 14:11:57 -0600 (CST) (envelope-from nick@rogness.net) Date: Sat, 29 Dec 2001 14:11:56 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Aleksander Rozman - Andy Cc: freebsd-net@FreeBSD.ORG Subject: Re: routing sort of In-Reply-To: <5.0.2.1.0.20011229152316.02d72548@sundance.kks.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 29 Dec 2001, Aleksander Rozman - Andy wrote: > > Hi People! > > I am currently working on implementing new protocol (ax.25) on > FreeBSD. Now my problem is this. For device (SCC Card) there is no > driver on FreebSD yet (I will do that after I finish ax.25)... SO my > question is, would it be possible to put this card on another machine > (running linux)and then route all packets that will come into card to > another computer (freebsd), via com port or another ethernet card. > Problem is that I need everything that will come from this card, > without being proccesed by linux. Is this possible? And how can it be > done? I am not up on Linux, but you would need the Linux machine to act like a transparent bridge, though I still think you would be missing some frames as the Linux machine would be processing the frames to do the forwarding between interfaces. Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Dec 29 12:20:16 2001 Delivered-To: freebsd-net@freebsd.org Received: from docomolabs-usa.com (fridge.docomo-usa.com [216.98.102.228]) by hub.freebsd.org (Postfix) with ESMTP id DD87B37B419 for ; Sat, 29 Dec 2001 12:20:09 -0800 (PST) Received: from bud (dhcp102.docomo-usa.com [172.21.96.102]) by docomolabs-usa.com (8.11.3/8.11.3) with SMTP id fBTKK3S18879; Sat, 29 Dec 2001 12:20:03 -0800 (PST) Message-ID: <000701c190a6$f8b9edb0$666015ac@bud> From: "Guangrui Fu" To: , References: <000e01c18f58$99daec80$666015ac@bud> Subject: Re: dummynet for IPv6? Date: Sat, 29 Dec 2001 12:25:34 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi all, here is another related question, is bridge and ip6_fw supported in FreeBSD? any information on it is highly appreciated! thanks in advance, ----- Original Message ----- From: "Guangrui Fu" To: ; Sent: Thursday, December 27, 2001 8:32 PM Subject: dummynet for IPv6? > Hi All, > > Is there any implementation for ipv6 based dummynet? > > Another related question, I'm using dummynet for bandwidth control. I want > the bandwidth control can be applied to all ethernet packets(ip/icmp v4/v6). > If dummynet is ipv6-unawareness, how can I achieve this? Could anyone please > give some suggestion? > > Regards, > G. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message From owner-freebsd-net Sat Dec 29 20:54:38 2001 Delivered-To: freebsd-net@freebsd.org Received: from niwun.pair.com (niwun.pair.com [209.68.2.70]) by hub.freebsd.org (Postfix) with SMTP id 4813537B416 for ; Sat, 29 Dec 2001 20:54:36 -0800 (PST) Received: (qmail 58934 invoked by uid 3193); 30 Dec 2001 04:54:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 30 Dec 2001 04:54:35 -0000 Date: Sat, 29 Dec 2001 23:54:35 -0500 (EST) From: Mike Silbersack X-Sender: To: Randall Stewart Cc: Bosko Milekic , Subject: Re: m_reclaim and a protocol drain In-Reply-To: <3C29BEF3.611BCAFE@stewart.chicago.il.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Dec 2001, Randall Stewart wrote: > This comment facinates me. The reason we made SACK's in SCTP > revokeable is due to the potential DOS attack that someone > can supposedly lauch if you don't allow the stack to revoke. > > I can actually see the reason that Sally made the comments > and had us change it so that SACK's are revokeable. However > you argue to the contrary and I wonder which is correct. > > If you do not allow revoking it is the same as if a protocol > does not hold a drain() fucntion. A attacker could easily > stuff a lot of out-of-order segments at you and thus > fill up all your mbuf's or clusters (in my current testing > case). This would then yeild a DOS since you could no longer > receive any segments and leave you high and dry.... Heh, you nailed the reverse of the problem we've seen: Right now the easy way to cause exhaustion is to fill up _send_ buffers, via netkill. I guess if we solve that problem, out of order segments could be used for an attack too. Just FWIW, Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message