From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 11 15:01:47 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D5BFC6B8 for ; Thu, 11 Sep 2014 15:01:47 +0000 (UTC) Received: from mail-oa0-x236.google.com (mail-oa0-x236.google.com [IPv6:2607:f8b0:4003:c02::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A016A904 for ; Thu, 11 Sep 2014 15:01:47 +0000 (UTC) Received: by mail-oa0-f54.google.com with SMTP id jd19so1864837oac.13 for ; Thu, 11 Sep 2014 08:01:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=68KL/tSmUuspUKWB6drrlQ9R112TCj+4ZJO+bCTwyPI=; b=zGh0SSdN2IyW8XYrmGLTZyroINIDjcKI1Q2EDglvMFjfe07njCQnCgPm3cCLIlkqcf EjEGTRYoNsFPWwCTnALUoeRSEvtYgNSc26bKanXpYgvxaTCQGcrPkk87Uu3wdKKgYzK4 KVxIAccfKPpUm4z2hEBchIyhKfc7C9OVe4MqRMolJuKgnfqaBmieiJ85pEFcE5p3AogO 0PydTxjCqlJcAzIbNwFOXeEA34qU3/+iVb+lbi0Z3vRW2WJZsjG6BWKH355DRK7rASvm sak5qrmQqOAC/eM0nW9C06CiMxJv6IeLoqIxQGUE9ttFEfT6WO+sQMOTc/zdRNVfi0YQ UpHQ== MIME-Version: 1.0 X-Received: by 10.60.115.234 with SMTP id jr10mr1683277oeb.85.1410447706752; Thu, 11 Sep 2014 08:01:46 -0700 (PDT) Received: by 10.202.199.11 with HTTP; Thu, 11 Sep 2014 08:01:46 -0700 (PDT) Date: Thu, 11 Sep 2014 08:01:46 -0700 Message-ID: Subject: IPFW rule sets and automatic rule numbering From: Freddie Cash To: "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 15:01:47 -0000 Good morning everyone, Just wondering if I'm doing things wrong, or if those two features (rule sets and auto incrementing rule numbers) just don't play well together. Until now, I've used the auto-incrementing feature to minimize the amount of work I need to do when changing/updating/adding rules in the middle of my scripts. This has been working great, and is controlled via the net.inet.ip.fw.autoinc_step sysctl. Recently I was playing with the rule sets feature and using "ipfw set swap" to speed up my firewall rules reloading times. Previously, I'd clear the rules, then load the new rules, but that could leave up to 30 seconds of downtime. With the use of sets, that's under 1 sec. Everything works well on the first run. Everything is loaded correctly into set 1, then swapped into set 0 and made live. All rules are numbered correctly. On the second run, all the rules are loaded into set 1 using rule numbers 65524-65534, and then swapped into set 0. On the third (and all subsequent run), all rules are loaded into set 1 with rule number 65534, and then swapping into set 1. It seems the rule numbers are global across all sets? Meaning, the "last used automatic number" is global across all sets? I was expecting the rule numbers to be unique per set. I do the following to clear out rule set 1 before adding rules: ipfw -f set 1 flush ipfw set disable 1 Then load all my rules into set 1 using the following syntax: ipfw add set 1 allow tcp from 1.2.3.4 to 2.3.4.4 in recv igb0 .... .... .... Then swap the rules at the end using: ipfw set swap 1 0 Is there anything I could be doing differently to get the numbering to work the way I expect it to? Or am I going to have to manually number every rule in my scripts? -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 11 15:02:57 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 200D69F9 for ; Thu, 11 Sep 2014 15:02:57 +0000 (UTC) Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DD64D946 for ; Thu, 11 Sep 2014 15:02:56 +0000 (UTC) Received: by mail-ob0-f176.google.com with SMTP id wn1so14370693obc.7 for ; Thu, 11 Sep 2014 08:02:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Fml8+nQdqzTsjmKE6U/1kWI1qwdVOieM9BGyaleg2t4=; b=QTtbe2v3Uvz9lLSqraYjI7kwfJtrY69X92cgxmnUsOcnP2OEIqi6oXr+Defry7IUt4 pdUbtppwAqTREiisS4Fc1qLNGI4sfTfdxwTiV4tmPM3I1lSnhjDcqyQKAOIZOPDpv4RJ o9oc9TtNG+vkQJ27zgSOGOjCFvdyWDGyENgO28L8GaP/lViLSoliHU7x2e5Ov8hYopwg G9xsrk67UaipS6K4W5GjOhZUJTcMJyTdyjKM9f5pp8HKVmPKpD6Qc3p1J/2ttYEcxbFB BgDu9Y1x2BtOhAHT2mKgrkKnss+cSGj1r530MjopABqNeT5gG9C45EQ/nDmv77H4sswP XhLw== MIME-Version: 1.0 X-Received: by 10.60.94.65 with SMTP id da1mr1025254oeb.11.1410447776200; Thu, 11 Sep 2014 08:02:56 -0700 (PDT) Received: by 10.202.199.11 with HTTP; Thu, 11 Sep 2014 08:02:56 -0700 (PDT) In-Reply-To: References: Date: Thu, 11 Sep 2014 08:02:56 -0700 Message-ID: Subject: Re: IPFW rule sets and automatic rule numbering From: Freddie Cash To: "freebsd-ipfw@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 15:02:57 -0000 Forgot to mention, this is 64-bit FreeBSD 10.0-RELEASE-p7, using Intel i350-T4 (igb) NICs. -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 13 15:59:29 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 164652C8 for ; Sat, 13 Sep 2014 15:59:29 +0000 (UTC) Received: from mail-pa0-x229.google.com (mail-pa0-x229.google.com [IPv6:2607:f8b0:400e:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DAE158A7 for ; Sat, 13 Sep 2014 15:59:28 +0000 (UTC) Received: by mail-pa0-f41.google.com with SMTP id bj1so3462185pad.28 for ; Sat, 13 Sep 2014 08:59:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=OvB0Ei6nPsh10K0aFhFfPhDyaVlWlc/OCQoa/vKevNI=; b=Dr+4tssxL1DUEw6Ru9AjuS8OqhKhHEWU3yXMWojiQ/Ah+VfUit4Oz1rARwwzmt3D2E Pee83Bd/CC53I4fHOKCFiK/ZVmjP7CRL+zfx5VSWosZXgbbLZ8YuHbRxrC2l9OxI8Dy9 /JnY8KMVgqpyYF4KYYapb4Fp6h9k50VhvohRrevOOVvuGTvqs4nOnpQkbWYeNwaWU5X8 D8jXcpuZh9wlLrRFFnNts3Yfil6O8paEtCTYL0VTyskL/93EOn126x3amQhT2Ek89eCc W0PI3RrkA6GPtOY5sjuzJdoouksyl38J+MMNSsQGnOt8f99Imp1jClGZO5rbF+nMW3ml J9FQ== X-Received: by 10.66.102.68 with SMTP id fm4mr23676158pab.46.1410623968483; Sat, 13 Sep 2014 08:59:28 -0700 (PDT) Received: from [192.168.1.99] ([203.117.37.53]) by mx.google.com with ESMTPSA id u8sm6893080pbs.61.2014.09.13.08.59.23 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 13 Sep 2014 08:59:27 -0700 (PDT) Message-ID: <541469D4.6070107@gmail.com> Date: Sat, 13 Sep 2014 23:59:16 +0800 From: bycn82 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: Re: IPFW rule sets and automatic rule numbering References: In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2014 15:59:29 -0000 On 9/11/14 23:02, Freddie Cash wrote: > Forgot to mention, this is 64-bit FreeBSD 10.0-RELEASE-p7, using Intel > i350-T4 (igb) NICs. why not explain the situation by providing a set of rules which can replicate the problem you mentioned instead of your long long email? From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 13 18:37:12 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5D376CEE for ; Sat, 13 Sep 2014 18:37:12 +0000 (UTC) Received: from mail.ipfw.ru (mail.ipfw.ru [IPv6:2a01:4f8:120:6141::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1DF62A76 for ; Sat, 13 Sep 2014 18:37:12 +0000 (UTC) Received: from [2a02:6b8:0:401:222:4dff:fe50:cd2f] (helo=ptichko.yndx.net) by mail.ipfw.ru with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82 (FreeBSD)) (envelope-from ) id 1XSoDU-000DOE-QO; Sat, 13 Sep 2014 18:22:20 +0400 Message-ID: <54148EB7.5060509@FreeBSD.org> Date: Sat, 13 Sep 2014 22:36:39 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Freddie Cash , "freebsd-ipfw@freebsd.org" Subject: Re: IPFW rule sets and automatic rule numbering References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2014 18:37:12 -0000 On 11.09.2014 19:01, Freddie Cash wrote: > Good morning everyone, > > Just wondering if I'm doing things wrong, or if those two features (rule > sets and auto incrementing rule numbers) just don't play well together. > > Until now, I've used the auto-incrementing feature to minimize the amount > of work I need to do when changing/updating/adding rules in the middle of > my scripts. This has been working great, and is controlled via > the net.inet.ip.fw.autoinc_step sysctl. > > Recently I was playing with the rule sets feature and using "ipfw set swap" > to speed up my firewall rules reloading times. Previously, I'd clear the > rules, then load the new rules, but that could leave up to 30 seconds of > downtime. With the use of sets, that's under 1 sec. > > Everything works well on the first run. Everything is loaded correctly > into set 1, then swapped into set 0 and made live. All rules are numbered > correctly. > > On the second run, all the rules are loaded into set 1 using rule numbers > 65524-65534, and then swapped into set 0. > > On the third (and all subsequent run), all rules are loaded into set 1 with > rule number 65534, and then swapping into set 1. > > It seems the rule numbers are global across all sets? Meaning, the "last > used automatic number" is global across all sets? > > I was expecting the rule numbers to be unique per set. I do the following > to clear out rule set 1 before adding rules: > > ipfw -f set 1 flush > ipfw set disable 1 > > Then load all my rules into set 1 using the following syntax: > > ipfw add set 1 allow tcp from 1.2.3.4 to 2.3.4.4 in recv igb0 > .... > .... > .... > > Then swap the rules at the end using: > > ipfw set swap 1 0 > > Is there anything I could be doing differently to get the numbering to work > the way I expect it to? Or am I going to have to manually number every > rule in my scripts? No, currently rule auto-numbering ignores sets. So currently you have to to number rules manually to achieve predictable behavior. I think we can consider implementing sysctl which permits per-set auto-numbering. > > From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 13 19:52:00 2014 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 40DE939F for ; Sat, 13 Sep 2014 19:52:00 +0000 (UTC) Received: from mail-ob0-x235.google.com (mail-ob0-x235.google.com [IPv6:2607:f8b0:4003:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 085B1186 for ; Sat, 13 Sep 2014 19:51:59 +0000 (UTC) Received: by mail-ob0-f181.google.com with SMTP id wo20so1416336obc.26 for ; Sat, 13 Sep 2014 12:51:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=fgHvEEaFijpxm4bEcy+wRfBKs+cOatZHR6kKazREZ8A=; b=apMJ8SYWvlWymbWd8TYuxThR5/gODCpe51tBS5m6fX/kxloOumX0ugTj6zuSloOy6G Qrm24cdUUiJz8hCvtW90Sp+XF47Jb3NussagOBx+jqXjfYNrl0h19iYpsVm4XUrjaDVm 8KbpcFZ0OG47q0jF9Ff9eMp5u+cTkkHlsd4yE4DWxiRjCrS9y3lZsKPBCR3RtQxovO6Z gHm0LSP1wRSvRq8vByt9fvnbXq8h3uk5Yho4MHZK+a+L9/VJkYDAluDHLK7VvtZrZWLo gDPp4/CZPA+Pv+MZvBpGZQiHUJArXl9pauIBv4heUmj13NTLnWrL6tMA5umg18OkmZUM URRw== MIME-Version: 1.0 X-Received: by 10.60.157.233 with SMTP id wp9mr11306972oeb.80.1410637919386; Sat, 13 Sep 2014 12:51:59 -0700 (PDT) Received: by 10.202.199.11 with HTTP; Sat, 13 Sep 2014 12:51:59 -0700 (PDT) Received: by 10.202.199.11 with HTTP; Sat, 13 Sep 2014 12:51:59 -0700 (PDT) In-Reply-To: <541469D4.6070107@gmail.com> References: <541469D4.6070107@gmail.com> Date: Sat, 13 Sep 2014 12:51:59 -0700 Message-ID: Subject: Re: IPFW rule sets and automatic rule numbering From: Freddie Cash To: bycn82 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-ipfw@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Sep 2014 19:52:00 -0000 You can replicate it using 3 rules, loaded into two sets: ipfw set disable 1 ipfw add allow ip from any to any ipfw add 65524 allow ip from any to any ipfw add allow ip from any to any ipfw set swap 1 0 Run that two or 3 times. Every rule will be numbered 65534 after the 2nd or 3rd run. I expected it to be numbered 10, 65524, 65534 after every run. However, after reading the man page a few more times and thinking about it a little more, it makes sense that the numbering is global across all sets, as you can have multiple sets enabled simultaneously. It just doesn't mesh with my desire to use auto numbering. I'm in the midst of manually numbering all my rules now. :)