From owner-freebsd-ipfw Mon Oct 28 8:51:48 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FBC037B401; Mon, 28 Oct 2002 08:51:47 -0800 (PST) Received: from mta4.srv.hcvlny.cv.net (mta4.srv.hcvlny.cv.net [167.206.5.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FCAD43E77; Mon, 28 Oct 2002 08:51:44 -0800 (PST) (envelope-from avg@icyb.net.ua) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta4.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4P00A3YANKPZ@mta4.srv.hcvlny.cv.net>; Mon, 28 Oct 2002 11:47:45 -0500 (EST) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9SGlfpg076395; Mon, 28 Oct 2002 11:47:42 -0500 (EST envelope-from avg@icyb.net.ua) Date: Mon, 28 Oct 2002 11:47:41 -0500 (EST) From: Andriy Gapon Subject: Re: kern/44417: ipfw layer2 rules are not checked for ether_output_frame() on bridged interface In-reply-to: <200210231810.g9NIA15C037636@freefall.freebsd.org> X-X-Sender: avg@edge.foundation.invalid To: FreeBSD-gnats-submit@FreeBSD.org Cc: freebsd-ipfw@freebsd.org Message-id: <20021028114346.T76307-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Here's a patch that I think fixes this problem, it works for me. If anybody else could test this that would be great. --- if_ethersubr.c.orig Wed Oct 23 15:27:08 2002 +++ if_ethersubr.c Wed Oct 23 15:28:06 2002 @@ -388,9 +388,6 @@ if (m->m_flags == PACKET_TAG_DUMMYNET) rule = ((struct dn_pkt *)m)->rule; - if (rule) /* packet was already bridged */ - goto no_bridge; - if (BDG_ACTIVE(ifp) ) { struct ether_header *eh; /* a ptr suffices */ --- bridge.c.orig Wed Oct 23 15:28:16 2002 +++ bridge.c Wed Oct 23 15:29:06 2002 @@ -857,11 +857,11 @@ * Additional restrictions may apply e.g. non-IP, short packets, * and pkts already gone through a pipe. */ - if (src != NULL && ( + if ( #ifdef PFIL_HOOKS ((pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh)) != NULL && bdg_ipf !=0) || #endif - (IPFW_LOADED && bdg_ipfw != 0))) { + (IPFW_LOADED && bdg_ipfw != 0)) { int i; -- Andriy Gapon * "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 29 0:27:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86F5E37B401 for ; Tue, 29 Oct 2002 00:27:26 -0800 (PST) Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8819043E42 for ; Tue, 29 Oct 2002 00:27:25 -0800 (PST) (envelope-from danfe@regency.nsu.ru) Received: from drweb by mail.nsu.ru with drweb-scanned (Exim 3.20 #1) id 186RiB-00050B-00 for ipfw@freebsd.org; Tue, 29 Oct 2002 14:26:55 +0600 Received: from regency.nsu.ru ([193.124.210.26]) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 186Rho-0004pG-00 for ipfw@freebsd.org; Tue, 29 Oct 2002 14:26:32 +0600 Received: from regency.nsu.ru (localhost [127.0.0.1]) by regency.nsu.ru (8.12.6/8.12.6) with ESMTP id g9T8QHiv045762 for ; Tue, 29 Oct 2002 14:26:22 +0600 (NOVT) (envelope-from danfe@regency.nsu.ru) Received: (from danfe@localhost) by regency.nsu.ru (8.12.6/8.12.6/Submit) id g9T8QHqZ045668 for ipfw@freebsd.org; Tue, 29 Oct 2002 14:26:17 +0600 (NOVT) Date: Tue, 29 Oct 2002 14:26:17 +0600 From: Alexey Dokuchaev To: ipfw@freebsd.org Subject: Typo in uid/gid handling in ipfw2 Message-ID: <20021029082617.GA24516@regency.nsu.ru> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline User-Agent: Mutt/1.4i X-Envelope-To: ipfw@freebsd.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello! Currently, both -STABLE and -CURRENT IPFW2 user-level code is broken WRT uid/gid handling stuff. It looks more like a typo, but it is there. I've notified Luigi and supplied a fix (attached). I am not sure if it is worth mentioning in errata since IPFW2 is not enabled by default (and even hidden). It's probably worth considering for review and possible commit. Thank you. ./danfe --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw2.diff" --- ipfw2.c.orig Tue Oct 29 10:19:15 2002 +++ ipfw2.c Tue Oct 29 10:33:55 2002 @@ -2937,7 +2937,7 @@ pwd = (*end == '\0') ? getpwuid(uid) : getpwnam(*av); if (pwd == NULL) errx(EX_DATAERR, "uid \"%s\" nonexistent", *av); - cmd32->d[0] = uid; + cmd32->d[0] = pwd->pw_uid; cmd->len = F_INSN_SIZE(ipfw_insn_u32); ac--; av++; } @@ -2956,7 +2956,7 @@ if (grp == NULL) errx(EX_DATAERR, "gid \"%s\" nonexistent", *av); - cmd32->d[0] = gid; + cmd32->d[0] = grp->gr_gid; cmd->len = F_INSN_SIZE(ipfw_insn_u32); ac--; av++; } --cWoXeonUoKmBZSoM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 29 0:35:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0E4137B401 for ; Tue, 29 Oct 2002 00:35:34 -0800 (PST) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63B6443E77 for ; Tue, 29 Oct 2002 00:35:34 -0800 (PST) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9T8ZRpJ007491; Tue, 29 Oct 2002 00:35:27 -0800 (PST) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9T8ZRUj007490; Tue, 29 Oct 2002 00:35:27 -0800 (PST) (envelope-from rizzo) Date: Tue, 29 Oct 2002 00:35:27 -0800 From: Luigi Rizzo To: Alexey Dokuchaev Cc: ipfw@FreeBSD.ORG Subject: Re: Typo in uid/gid handling in ipfw2 Message-ID: <20021029003527.A7265@carp.icir.org> References: <20021029082617.GA24516@regency.nsu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20021029082617.GA24516@regency.nsu.ru>; from danfe@regency.nsu.ru on Tue, Oct 29, 2002 at 02:26:17PM +0600 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Oct 29, 2002 at 02:26:17PM +0600, Alexey Dokuchaev wrote: > Hello! > > Currently, both -STABLE and -CURRENT IPFW2 user-level code is broken WRT > uid/gid handling stuff. > > It looks more like a typo, but it is there. I've notified Luigi and > supplied a fix (attached). I am not sure if it is worth mentioning in > errata since IPFW2 is not enabled by default (and even hidden). > > It's probably worth considering for review and possible commit. definitely. if there are any takers... i believe you have tested the fix is working, right ? cheers luiig > Thank you. > > ./danfe > --- ipfw2.c.orig Tue Oct 29 10:19:15 2002 > +++ ipfw2.c Tue Oct 29 10:33:55 2002 > @@ -2937,7 +2937,7 @@ > pwd = (*end == '\0') ? getpwuid(uid) : getpwnam(*av); > if (pwd == NULL) > errx(EX_DATAERR, "uid \"%s\" nonexistent", *av); > - cmd32->d[0] = uid; > + cmd32->d[0] = pwd->pw_uid; > cmd->len = F_INSN_SIZE(ipfw_insn_u32); > ac--; av++; > } > @@ -2956,7 +2956,7 @@ > if (grp == NULL) > errx(EX_DATAERR, "gid \"%s\" nonexistent", *av); > > - cmd32->d[0] = gid; > + cmd32->d[0] = grp->gr_gid; > cmd->len = F_INSN_SIZE(ipfw_insn_u32); > ac--; av++; > } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 29 1:22:36 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6451C37B401 for ; Tue, 29 Oct 2002 01:22:35 -0800 (PST) Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88A6843E7B for ; Tue, 29 Oct 2002 01:22:34 -0800 (PST) (envelope-from danfe@regency.nsu.ru) Received: from drweb by mail.nsu.ru with drweb-scanned (Exim 3.20 #1) id 186SZj-0002Sb-00; Tue, 29 Oct 2002 15:22:15 +0600 Received: from regency.nsu.ru ([193.124.210.26]) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 186SYv-00027t-00; Tue, 29 Oct 2002 15:21:31 +0600 Received: from regency.nsu.ru (localhost [127.0.0.1]) by regency.nsu.ru (8.12.6/8.12.6) with ESMTP id g9T9L0iv059388; Tue, 29 Oct 2002 15:21:05 +0600 (NOVT) (envelope-from danfe@regency.nsu.ru) Received: (from danfe@localhost) by regency.nsu.ru (8.12.6/8.12.6/Submit) id g9T9Kvuu059387; Tue, 29 Oct 2002 15:20:57 +0600 (NOVT) Date: Tue, 29 Oct 2002 15:20:56 +0600 From: Alexey Dokuchaev To: Luigi Rizzo Cc: ipfw@FreeBSD.ORG Subject: Re: Typo in uid/gid handling in ipfw2 Message-ID: <20021029092056.GA57685@regency.nsu.ru> References: <20021029082617.GA24516@regency.nsu.ru> <20021029003527.A7265@carp.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021029003527.A7265@carp.icir.org> User-Agent: Mutt/1.4i X-Envelope-To: rizzo@icir.org, ipfw@FreeBSD.ORG Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Oct 29, 2002 at 12:35:27AM -0800, Luigi Rizzo wrote: > On Tue, Oct 29, 2002 at 02:26:17PM +0600, Alexey Dokuchaev wrote: > > Hello! > > > > Currently, both -STABLE and -CURRENT IPFW2 user-level code is broken WRT > > uid/gid handling stuff. > > > > It looks more like a typo, but it is there. I've notified Luigi and > > supplied a fix (attached). I am not sure if it is worth mentioning in > > errata since IPFW2 is not enabled by default (and even hidden). > > > > It's probably worth considering for review and possible commit. > > definitely. if there are any takers... i believe you have tested > the fix is working, right ? sure. even if i didn't want to test it, i could not leave our corporate firewall broken. 8-) plus, the code in question now is the same as in old ipfw. ./danfe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 29 9:55:37 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3714937B401; Tue, 29 Oct 2002 09:55:36 -0800 (PST) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id D43DF43E75; Tue, 29 Oct 2002 09:55:35 -0800 (PST) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9THtTpJ013018; Tue, 29 Oct 2002 09:55:29 -0800 (PST) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id g9THtLDl013017; Tue, 29 Oct 2002 09:55:21 -0800 (PST) (envelope-from rizzo) Date: Tue, 29 Oct 2002 09:55:21 -0800 From: Luigi Rizzo To: Andriy Gapon Cc: FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: kern/44417: ipfw layer2 rules are not checked for ether_output_frame() on bridged interface Message-ID: <20021029095521.A12933@carp.icir.org> References: <200210231810.g9NIA15C037636@freefall.freebsd.org> <20021028114346.T76307-100000@edge.foundation.invalid> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20021028114346.T76307-100000@edge.foundation.invalid>; from avg@icyb.net.ua on Mon, Oct 28, 2002 at 11:47:41AM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG let me think about it, i am not 100% sure that it is the correct fix. Could you summarise the bug and the logic for the fix ? thanks luigi On Mon, Oct 28, 2002 at 11:47:41AM -0500, Andriy Gapon wrote: > > Here's a patch that I think fixes this problem, it works for me. > If anybody else could test this that would be great. > > --- if_ethersubr.c.orig Wed Oct 23 15:27:08 2002 > +++ if_ethersubr.c Wed Oct 23 15:28:06 2002 > @@ -388,9 +388,6 @@ > if (m->m_flags == PACKET_TAG_DUMMYNET) > rule = ((struct dn_pkt *)m)->rule; > > - if (rule) /* packet was already bridged */ > - goto no_bridge; > - > if (BDG_ACTIVE(ifp) ) { > struct ether_header *eh; /* a ptr suffices */ > > --- bridge.c.orig Wed Oct 23 15:28:16 2002 > +++ bridge.c Wed Oct 23 15:29:06 2002 > @@ -857,11 +857,11 @@ > * Additional restrictions may apply e.g. non-IP, short packets, > * and pkts already gone through a pipe. > */ > - if (src != NULL && ( > + if ( > #ifdef PFIL_HOOKS > ((pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh)) != NULL && bdg_ipf !=0) || > #endif > - (IPFW_LOADED && bdg_ipfw != 0))) { > + (IPFW_LOADED && bdg_ipfw != 0)) { > > int i; > > > -- > Andriy Gapon > * > "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Oct 29 12: 2:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF88337B401; Tue, 29 Oct 2002 12:02:18 -0800 (PST) Received: from mta8.srv.hcvlny.cv.net (mta8.srv.hcvlny.cv.net [167.206.5.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 791D543E4A; Tue, 29 Oct 2002 12:02:12 -0800 (PST) (envelope-from avg@icyb.net.ua) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta8.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4R00GJ8EAZYZ@mta8.srv.hcvlny.cv.net>; Tue, 29 Oct 2002 15:01:51 -0500 (EST) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9TK1vpg006651; Tue, 29 Oct 2002 15:01:57 -0500 (EST envelope-from avg@icyb.net.ua) Date: Tue, 29 Oct 2002 15:01:57 -0500 (EST) From: Andriy Gapon Subject: Re: kern/44417: ipfw layer2 rules are not checked for ether_output_frame() on bridged interface In-reply-to: <20021029095521.A12933@carp.icir.org> X-X-Sender: avg@edge.foundation.invalid To: Luigi Rizzo Cc: FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Message-id: <20021029140617.R5584-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 29 Oct 2002, Luigi Rizzo wrote: > let me think about it, i am not 100% sure that it is the correct fix. > Could you summarise the bug and the logic for the fix ? Luigi, url for this PR is: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/44417 more detailed explanation of the problem and the proposed patch follows. it appears that a packet going out through a bridged interface will never be checked against ipfw rules in layer2 (this applies only to ipfw2 of course). I will be speaking about 4.7-RELEASE code. In ether_output_frame(): 394 if (BDG_ACTIVE(ifp) ) { 395 struct ether_header *eh; /* a ptr suffices */ 396 397 m->m_pkthdr.rcvif = NULL; 398 eh = mtod(m, struct ether_header *); 399 m_adj(m, ETHER_HDR_LEN); 400 m = bdg_forward_ptr(m, eh, ifp); 401 if (m != NULL) 402 m_freem(m); 403 return (0); 404 } i.e. a packet is handed off to bdg_forward() at line 400 without any ipfw checks and its rcvif is set to NULL at line 397. Then in bdg_forward(): 853 /* 854 * Do filtering in a very similar way to what is done in ip_output. 855 * Only if firewall is loaded, enabled, and the packet is not 856 * from ether_output() (src==NULL, or we would filter it twice). 857 * Additional restrictions may apply e.g. non-IP, short packets, 858 * and pkts already gone through a pipe. 859 */ 860 if (src != NULL && ( 861 #ifdef PFIL_HOOKS 862 ((pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IP]].pr_pfh)) != NULL && bdg_ipf !=0) || 863 #endif 864 (IPFW_LOADED && bdg_ipfw != 0))) { condition at line 860 makes sure that firewall rules are not checked here too. That means that layer2-specific rules are never applied to the said packet. The change to bridge.c was intended to fix that. I believe that it shouldn't break something else. I've made the change to if_ethersubr.c, because I didn't quite understand what this code: 386 /* Extract info from dummynet tag, ignore others */ 387 for (; m->m_type == MT_TAG; m = m->m_next) 388 if (m->m_flags == PACKET_TAG_DUMMYNET) 389 rule = ((struct dn_pkt *)m)->rule; 390 391 if (rule) /* packet was already bridged */ 392 goto no_bridge; was doing. The condition appears to check if a packet was passed through a pipe or queue, but the action is to by-pass bridge-specific code. My vision was that the said packet should go again to bdg_forward(), where it will be taken care of by: 868 if (args.rule != NULL) /* packet already partially processed */ 869 goto forward; /* HACK! I should obey the fw_one_pass */ If the interface in question is not bridged, the patch should not make any difference at all. I have a system that has 3 interfaces, does bridging between two of them and routing with the third one, and also limits traffic to/from a particular host on one of the bridged LANs based on its MAC address. Everything seems to work properly with this patch. I don't see any strange/unexpected behaviour. But I understand that this fact alone is not a sufficient proof, I'm not sure right now that I'm not doing an extra pass somewhere. Hope this explains the problem and the idea for the patches. Thanks a lot. -- Andriy Gapon * "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Oct 30 9:38: 9 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6F2337B404; Wed, 30 Oct 2002 09:38:07 -0800 (PST) Received: from mta6.srv.hcvlny.cv.net (mta6.srv.hcvlny.cv.net [167.206.5.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id E94ED43E6E; Wed, 30 Oct 2002 09:38:04 -0800 (PST) (envelope-from avg@icyb.net.ua) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta6.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4T00DO12A8BD@mta6.srv.hcvlny.cv.net>; Wed, 30 Oct 2002 12:37:23 -0500 (EST) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9UHbFTg008733; Wed, 30 Oct 2002 12:37:17 -0500 (EST envelope-from avg@icyb.net.ua) Date: Wed, 30 Oct 2002 12:37:15 -0500 (EST) From: Andriy Gapon Subject: Re: kern/44417: ipfw layer2 rules are not checked for ether_output_frame() on bridged interface In-reply-to: <20021029095521.A12933@carp.icir.org> X-X-Sender: avg@edge.foundation.invalid To: Luigi Rizzo Cc: FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Message-id: <20021030123045.D8706-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi, you are right - my patch is incorrect, firewall rules are checked at the wrong place. This one should be better: 391,406d390 < if (rule) /* packet was already bridged */ < goto no_bridge; < < if (BDG_ACTIVE(ifp) ) { < struct ether_header *eh; /* a ptr suffices */ < < m->m_pkthdr.rcvif = NULL; < eh = mtod(m, struct ether_header *); < m_adj(m, ETHER_HDR_LEN); < m = bdg_forward_ptr(m, eh, ifp); < if (m != NULL) < m_freem(m); < return (0); < } < < no_bridge: 432a417,429 > } > > if (BDG_ACTIVE(ifp) ) { > splx(s); /* XXX */ > struct ether_header *eh; /* a ptr suffices */ > > m->m_pkthdr.rcvif = NULL; > eh = mtod(m, struct ether_header *); > m_adj(m, ETHER_HDR_LEN); > m = bdg_forward_ptr(m, eh, ifp); > if (m != NULL) > m_freem(m); > return (0); basically it moves check for bridging to after ipfw stuff. What do you think ? Thank you. -- Andriy Gapon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Oct 30 16:10:26 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C094F37B401; Wed, 30 Oct 2002 16:10:24 -0800 (PST) Received: from mta2.srv.hcvlny.cv.net (mta2.srv.hcvlny.cv.net [167.206.5.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CEDC43E7B; Wed, 30 Oct 2002 16:10:22 -0800 (PST) (envelope-from avg@icyb.net.ua) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta2.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4T009GGKC93Q@mta2.srv.hcvlny.cv.net>; Wed, 30 Oct 2002 19:07:22 -0500 (EST) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9V07HTg030871; Wed, 30 Oct 2002 19:07:20 -0500 (EST envelope-from avg@icyb.net.ua) Date: Wed, 30 Oct 2002 19:07:17 -0500 (EST) From: Andriy Gapon Subject: Re: kern/44417: ipfw layer2 rules are not checked for ether_output_frame() on bridged interface In-reply-to: <20021029095521.A12933@carp.icir.org> X-X-Sender: avg@edge.foundation.invalid To: Luigi Rizzo Cc: FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Message-id: <20021030185817.K30853-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG sorry, sent that patch before even trying to compile it. of course it should be: 391,406d390 < if (rule) /* packet was already bridged */ < goto no_bridge; < < if (BDG_ACTIVE(ifp) ) { < struct ether_header *eh; /* a ptr suffices */ < < m->m_pkthdr.rcvif = NULL; < eh = mtod(m, struct ether_header *); < m_adj(m, ETHER_HDR_LEN); < m = bdg_forward_ptr(m, eh, ifp); < if (m != NULL) < m_freem(m); < return (0); < } < < no_bridge: 432a417,429 > } > > if (BDG_ACTIVE(ifp) ) { > struct ether_header *eh; /* a ptr suffices */ > > splx(s); /* XXX */ > m->m_pkthdr.rcvif = NULL; > eh = mtod(m, struct ether_header *); > m_adj(m, ETHER_HDR_LEN); > m = bdg_forward_ptr(m, eh, ifp); > if (m != NULL) > m_freem(m); > return (0); damn C++ :-) Btw, could you please educate me a little bit about this splXXX() stuff ? I've tried to understand it from man page, but failed... What purpose does it serve here ? Is this like some kind of locking ? Is it ok that there are return statements after ether_ipfw_chk() call in ether_output_frame() without splx(s) ? Thank you! -- Andriy Gapon * "The worst part of communication is the illusion that it has actually occurred". M. Jenkins. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 1 16:46: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D87F037B401 for ; Fri, 1 Nov 2002 16:46:04 -0800 (PST) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65BAD43E97 for ; Fri, 1 Nov 2002 16:46:03 -0800 (PST) (envelope-from jbarrett@amduat.net) Received: from amduat.net (nat-bhm1.attachmate.com [63.115.16.66]) (authenticated bits=0) by aker.amduat.net (8.12.6/8.12.6) with ESMTP id gA20je3t009270 for ; Fri, 1 Nov 2002 16:45:41 -0800 (PST) (envelope-from jbarrett@amduat.net) Message-ID: <3DC32005.8090509@amduat.net> Date: Fri, 01 Nov 2002 16:44:53 -0800 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: SNMP for Dummynet Queue/Pipes Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I know that there is an addon for net-snmp for ipfw, but is there one floating around for dummynet pipes and queues? Just thought I asked before I went to through the trouble of writing one. -Jake -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Nov 1 19: 7: 0 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77A2D37B401 for ; Fri, 1 Nov 2002 19:06:59 -0800 (PST) Received: from carp.icir.org (carp.icir.org [192.150.187.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C93843E42 for ; Fri, 1 Nov 2002 19:06:59 -0800 (PST) (envelope-from rizzo@carp.icir.org) Received: from carp.icir.org (localhost [127.0.0.1]) by carp.icir.org (8.12.3/8.12.3) with ESMTP id gA236pdl000945; Fri, 1 Nov 2002 19:06:51 -0800 (PST) (envelope-from rizzo@carp.icir.org) Received: (from rizzo@localhost) by carp.icir.org (8.12.3/8.12.3/Submit) id gA236pIK000944; Fri, 1 Nov 2002 19:06:51 -0800 (PST) (envelope-from rizzo) Date: Fri, 1 Nov 2002 19:06:51 -0800 From: Luigi Rizzo To: "Jacob S. Barrett" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: SNMP for Dummynet Queue/Pipes Message-ID: <20021101190651.A932@carp.icir.org> References: <3DC32005.8090509@amduat.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3DC32005.8090509@amduat.net>; from jbarrett@amduat.net on Fri, Nov 01, 2002 at 04:44:53PM -0800 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Nov 01, 2002 at 04:44:53PM -0800, Jacob S. Barrett wrote: > I know that there is an addon for net-snmp for ipfw, but is there one > floating around for dummynet pipes and queues? Just thought I asked > before I went to through the trouble of writing one. there is none that i know of, although it is a frequently asked question -- eveidently everybody is waiting for someone else to write one. cheers luigi > -Jake > > -- > Jacob S. Barrett > jbarrett@amduat.net > www.amduat.net > > "I don't suffer from insanity, I enjoy every minute of it." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message