From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 29 08:27:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C48916A4CE; Sun, 29 Aug 2004 08:27:30 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D43C43D31; Sun, 29 Aug 2004 08:27:30 +0000 (GMT) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) i7T8RUPa057798; Sun, 29 Aug 2004 08:27:30 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7T8RUPM057794; Sun, 29 Aug 2004 08:27:30 GMT (envelope-from maxim) Date: Sun, 29 Aug 2004 08:27:30 GMT From: Maxim Konovalov Message-Id: <200408290827.i7T8RUPM057794@freefall.freebsd.org> To: daniel+bsd@pelleg.org, maxim@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/46080: [PATCH] logamount in ipfw2 does not default to net.inet.ip.fw.verbose_limit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2004 08:27:30 -0000 Synopsis: [PATCH] logamount in ipfw2 does not default to net.inet.ip.fw.verbose_limit State-Changed-From-To: open->patched State-Changed-By: maxim State-Changed-When: Sun Aug 29 08:27:04 GMT 2004 State-Changed-Why: Fixed in -CURRENT, thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=46080 From owner-freebsd-ipfw@FreeBSD.ORG Sun Aug 29 08:27:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4259816A4CE; Sun, 29 Aug 2004 08:27:54 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 272F943D1D; Sun, 29 Aug 2004 08:27:54 +0000 (GMT) (envelope-from maxim@FreeBSD.org) Received: from freefall.freebsd.org (maxim@localhost [127.0.0.1]) i7T8RsNP057846; Sun, 29 Aug 2004 08:27:54 GMT (envelope-from maxim@freefall.freebsd.org) Received: (from maxim@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7T8RsrH057842; Sun, 29 Aug 2004 08:27:54 GMT (envelope-from maxim) Date: Sun, 29 Aug 2004 08:27:54 GMT From: Maxim Konovalov Message-Id: <200408290827.i7T8RsrH057842@freefall.freebsd.org> To: maxim@FreeBSD.org, ipfw@FreeBSD.org, maxim@FreeBSD.org Subject: Re: kern/46080: [PATCH] logamount in ipfw2 does not default to net.inet.ip.fw.verbose_limit X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Aug 2004 08:27:54 -0000 Synopsis: [PATCH] logamount in ipfw2 does not default to net.inet.ip.fw.verbose_limit Responsible-Changed-From-To: ipfw->maxim Responsible-Changed-By: maxim Responsible-Changed-When: Sun Aug 29 08:27:36 GMT 2004 Responsible-Changed-Why: MFC reminder. http://www.freebsd.org/cgi/query-pr.cgi?pr=46080 From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 30 04:38:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC7BF16A4CE; Mon, 30 Aug 2004 04:38:39 +0000 (GMT) Received: from mx01.bos.ma.towardex.com (mx01.bos.ma.towardex.com [65.124.16.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C96E43D66; Mon, 30 Aug 2004 04:38:39 +0000 (GMT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id CF2BD3082C; Mon, 30 Aug 2004 00:38:33 -0400 (EDT) Date: Mon, 30 Aug 2004 00:38:33 -0400 From: James To: "Simon L. Nielsen" Message-ID: <20040830043833.GA41637@scylla.towardex.com> References: <412B6A23.1000708@makeworld.com> <20040824205513.GJ760@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040824205513.GJ760@zaphod.nitro.dk> User-Agent: Mutt/1.4.1i cc: FreeBSD - ipfw Subject: Re: Denying multiple IP's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 04:38:39 -0000 On Tue, Aug 24, 2004 at 10:55:13PM +0200, Simon L. Nielsen wrote: > On 2004.08.24 11:17:39 -0500, Chris wrote: > > I'm working with a friend of mine w/ipfw. Below are IP's that are trying > > to hack in via ssh. I suggested to use something in the form of: > > > > # Allow in SFTP, SSH, and SCP from public Internet > > ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup > > limit src-addr 4 > > > > But he mentions that he needs access to his box from potential client > > sites where the IP is unknown. > > > > There has to be a better way to block the below - suggestions? > > If you use FreeBSD -CURRENT or -STABLE (newer than 4.10 and 5.2) you > could use the new table feature. Otherwise if you use ipfw2 you could > use "or-blocks" e.g. > > ipfw deny ip from { 1.2.4.5 or 1.2.4.7 or 1.2.5.7 } to any Good call, but unfortunately, this is not very good in performance either.. If you use latest kernel, your ipfw2 should have the lookup tables patch which uses radix lookup. { blah or bleh or x or y or z } list is a linear lookup, causing the system to lookup twice in linear fassion to come to a match. It is not exactly any better in terms of performance efficiency than adding hundreds of straight ipfw rules each with a ip address specification. Try this if you have tables feature: ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw table 1 add x.x.x.x/32 ipfw add 300 deny ip from table(1) to any No matter how many elements you got in table 1, due to radix/patricia trie lookup as with kernel routing table, the time spent in looking thru firewall elements is O(32) constant. To demonstrate the efficiency: Test #1: Start with 1 ipfw rule (the last rule 65535 being allow all) that denies one ip address on the DUT. Flood the remote tester device that is not denied by the ipfw rule. Start the test, and increment the ipfw rules from 1 to 10. Result: 1 rule: 140kpps 2 rule: 140kpps 3 rule: 138kpps 4 rule: 137kpps 5 rule: 135kpps 6 rule: 135kpps 7 rule: 132kpps 8 rule: 133kpps 9 rule: 131kpps 10 rule: 129kpps Test #2: Perform the exact same test above, however use a lookup table to store the elements from 1 to 10: 1 element in table: 140kpps 2 element in table: 140kpps 3 element in table: 140kpps 4 element in table: 141kpps 5 element in table: 140kpps 6 element in table: 139kpps 7 element in table: 140kpps 8 element in table: 142kpps 9 element in table: 140kpps 10 element in table: 140kpps > > or something like that. > > In any case there is probably no need to have sperate tcp/udp rules, > you could just use "ip" and block all traffic from the IP's. > > > # > > # IPs that seem to want to get in REALLY bad... deny all tcp/udp from IPs. > > # > > > > ${fwcmd} add 300 deny tcp from 24.79.68.179 to any > > ${fwcmd} add 301 deny udp from 24.79.68.179 to any > > ${fwcmd} add 302 deny tcp from 64.246.20.123 to any > > ${fwcmd} add 303 deny udp from 64.246.20.123 to any > > ${fwcmd} add 304 deny tcp from 81.223.99.90 to any > > ${fwcmd} add 305 deny udp from 81.223.99.90 to any > > ${fwcmd} add 306 deny tcp from 140.112.124.123 to any > > ${fwcmd} add 307 deny udp from 140.112.124.123 to any > > ${fwcmd} add 308 deny tcp from 193.145.87.3 to any > > ${fwcmd} add 309 deny udp from 193.145.87.3 to any > > ${fwcmd} add 310 deny tcp from 203.186.157.37 to any > > ${fwcmd} add 311 deny udp from 203.186.157.37 to any > > ${fwcmd} add 312 deny tcp from 210.204.129.11 to any > > ${fwcmd} add 313 deny udp from 210.204.129.11 to any > > ${fwcmd} add 314 deny tcp from 211.60.219.250 to any > > ${fwcmd} add 315 deny udp from 211.60.219.250 to any > > ${fwcmd} add 316 deny tcp from 211.252.9.126 to any > > ${fwcmd} add 317 deny udp from 211.252.9.126 to any > > ${fwcmd} add 318 deny tcp from 218.21.129.105 to any > > ${fwcmd} add 319 deny udp from 218.21.129.105 to any > > ${fwcmd} add 320 deny tcp from 218.49.183.17 to any > > ${fwcmd} add 321 deny udp from 218.49.183.17 to any > > ${fwcmd} add 322 deny tcp from 218.102.19.78 to any > > ${fwcmd} add 323 deny udp from 218.102.19.78 to any > > ${fwcmd} add 324 deny tcp from 218.237.66.152 to any > > ${fwcmd} add 325 deny udp from 218.237.66.152 to any > > ${fwcmd} add 326 deny tcp from 221.3.131.80 to any > > ${fwcmd} add 327 deny udp from 221.3.131.80 to any > > > > # Everything else is denied by default > > -- > Simon L. Nielsen > FreeBSD Documentation Team -- James Jun TowardEX Technologies, Inc. Technical Lead Network Design, Consulting, IT Outsourcing james@towardex.com Boston-based Colocation & Bandwidth Services cell: 1(978)-394-2867 web: http://www.towardex.com , noc: www.twdx.net From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 30 11:02:27 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7173D16A4CE for ; Mon, 30 Aug 2004 11:02:27 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6831A43D1F for ; Mon, 30 Aug 2004 11:02:27 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i7UB2Rt6034324 for ; Mon, 30 Aug 2004 11:02:27 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7UB2Qlc034319 for ipfw@freebsd.org; Mon, 30 Aug 2004 11:02:26 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 30 Aug 2004 11:02:26 GMT Message-Id: <200408301102.i7UB2Qlc034319@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 11:02:27 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] i386/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work 4 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp 7 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 30 13:51:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AA3516A4CE; Mon, 30 Aug 2004 13:51:53 +0000 (GMT) Received: from sage-american.com (adsl-65-71-135-139.dsl.crchtx.swbell.net [65.71.135.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2548443D2F; Mon, 30 Aug 2004 13:51:53 +0000 (GMT) (envelope-from jackstone@sage-one.net) Received: from sagea (sagea.sage-american [10.0.0.3]) by sage-american.com (8.12.11/8.12.11) with SMTP id i7UDppcM085561; Mon, 30 Aug 2004 08:51:51 -0500 (CDT) (envelope-from jackstone@sage-one.net) Message-Id: <3.0.5.32.20040830085150.01f1d220@10.0.0.10> X-Sender: jackstone@10.0.0.10 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Mon, 30 Aug 2004 08:51:50 -0500 To: James , "Simon L. Nielsen" From: "Jack L. Stone" In-Reply-To: <20040830043833.GA41637@scylla.towardex.com> References: <20040824205513.GJ760@zaphod.nitro.dk> <412B6A23.1000708@makeworld.com> <20040824205513.GJ760@zaphod.nitro.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (sage-american.com [10.0.0.15]); Mon, 30 Aug 2004 08:51:51 -0500 (CDT) X-Spam-Status: No, hits=-5.0 required=4.5 tests=AWL,BAYES_00,RATWR20_MESSID autolearn=no version=2.64-sageame.rules_v4.1 X-Spam-Checker-Version: SpamAssassin 2.64-sageame.rules_v4.1 (2004-01-11) on sage-american.com cc: FreeBSD - ipfw Subject: Re: Denying multiple IP's X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 13:51:54 -0000 At 12:38 AM 8.30.2004 -0400, James wrote: >On Tue, Aug 24, 2004 at 10:55:13PM +0200, Simon L. Nielsen wrote: >> On 2004.08.24 11:17:39 -0500, Chris wrote: >> > I'm working with a friend of mine w/ipfw. Below are IP's that are trying >> > to hack in via ssh. I suggested to use something in the form of: >> > >> > # Allow in SFTP, SSH, and SCP from public Internet >> > ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup >> > limit src-addr 4 >> > >> > But he mentions that he needs access to his box from potential client >> > sites where the IP is unknown. >> > >> > There has to be a better way to block the below - suggestions? >> >> If you use FreeBSD -CURRENT or -STABLE (newer than 4.10 and 5.2) you >> could use the new table feature. Otherwise if you use ipfw2 you could >> use "or-blocks" e.g. >> >> ipfw deny ip from { 1.2.4.5 or 1.2.4.7 or 1.2.5.7 } to any > >Good call, but unfortunately, this is not very good in performance either.. > >If you use latest kernel, your ipfw2 should have the lookup tables patch which >uses radix lookup. { blah or bleh or x or y or z } list is a linear lookup, >causing the system to lookup twice in linear fassion to come to a match. It is >not exactly any better in terms of performance efficiency than adding hundreds >of straight ipfw rules each with a ip address specification. > >Try this if you have tables feature: > >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 >ipfw table 1 add x.x.x.x/32 > >ipfw add 300 deny ip from table(1) to any > >No matter how many elements you got in table 1, due to radix/patricia trie >lookup as with kernel routing table, the time spent in looking thru firewall >elements is O(32) constant. > >To demonstrate the efficiency: > >Test #1: Start with 1 ipfw rule (the last rule 65535 being allow all) that >denies one ip address on the DUT. Flood the remote tester device that is not >denied by the ipfw rule. Start the test, and increment the ipfw rules from 1 >to 10. Result: > >1 rule: 140kpps >2 rule: 140kpps >3 rule: 138kpps >4 rule: 137kpps >5 rule: 135kpps >6 rule: 135kpps >7 rule: 132kpps >8 rule: 133kpps >9 rule: 131kpps >10 rule: 129kpps > >Test #2: Perform the exact same test above, however use a lookup table to store >the elements from 1 to 10: > >1 element in table: 140kpps >2 element in table: 140kpps >3 element in table: 140kpps >4 element in table: 141kpps >5 element in table: 140kpps >6 element in table: 139kpps >7 element in table: 140kpps >8 element in table: 142kpps >9 element in table: 140kpps >10 element in table: 140kpps > > >> >> or something like that. >> >> In any case there is probably no need to have sperate tcp/udp rules, >> you could just use "ip" and block all traffic from the IP's. >> >> > # >> > # IPs that seem to want to get in REALLY bad... deny all tcp/udp from IPs. >> > # >> > >> > ${fwcmd} add 300 deny tcp from 24.79.68.179 to any >> > ${fwcmd} add 301 deny udp from 24.79.68.179 to any >> > ${fwcmd} add 302 deny tcp from 64.246.20.123 to any >> > ${fwcmd} add 303 deny udp from 64.246.20.123 to any >> > ${fwcmd} add 304 deny tcp from 81.223.99.90 to any >> > ${fwcmd} add 305 deny udp from 81.223.99.90 to any >> > ${fwcmd} add 306 deny tcp from 140.112.124.123 to any >> > ${fwcmd} add 307 deny udp from 140.112.124.123 to any >> > ${fwcmd} add 308 deny tcp from 193.145.87.3 to any >> > ${fwcmd} add 309 deny udp from 193.145.87.3 to any >> > ${fwcmd} add 310 deny tcp from 203.186.157.37 to any >> > ${fwcmd} add 311 deny udp from 203.186.157.37 to any >> > ${fwcmd} add 312 deny tcp from 210.204.129.11 to any >> > ${fwcmd} add 313 deny udp from 210.204.129.11 to any >> > ${fwcmd} add 314 deny tcp from 211.60.219.250 to any >> > ${fwcmd} add 315 deny udp from 211.60.219.250 to any >> > ${fwcmd} add 316 deny tcp from 211.252.9.126 to any >> > ${fwcmd} add 317 deny udp from 211.252.9.126 to any >> > ${fwcmd} add 318 deny tcp from 218.21.129.105 to any >> > ${fwcmd} add 319 deny udp from 218.21.129.105 to any >> > ${fwcmd} add 320 deny tcp from 218.49.183.17 to any >> > ${fwcmd} add 321 deny udp from 218.49.183.17 to any >> > ${fwcmd} add 322 deny tcp from 218.102.19.78 to any >> > ${fwcmd} add 323 deny udp from 218.102.19.78 to any >> > ${fwcmd} add 324 deny tcp from 218.237.66.152 to any >> > ${fwcmd} add 325 deny udp from 218.237.66.152 to any >> > ${fwcmd} add 326 deny tcp from 221.3.131.80 to any >> > ${fwcmd} add 327 deny udp from 221.3.131.80 to any >> > >> > # Everything else is denied by default >> >> -- >> Simon L. Nielsen >> FreeBSD Documentation Team > Running FBSD-4.10-p2/ipfw2 I don't know if I do it best way, but this method certainly works well for me. I place it early at the top before NAT so that effort is not needed either. Plus, it denies *all* packets of any kind. Plus2, I let ipfw assign the rule numbers: #${fwcmd} add deny all from 168.226.97.0/24 to any via ${oif} #${fwcmd} add deny all from 83.114.157.0/24 to any via ${oif} #${fwcmd} add deny all from 69.88.27.0/24 to any via ${oif} #${fwcmd} add deny all from 68.79.28.0/24 to any via ${oif} I haven't tried the tables and haven't investigated that yet Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 31 00:35:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35B1B16A4CE; Tue, 31 Aug 2004 00:35:03 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15FC543D1F; Tue, 31 Aug 2004 00:35:03 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) i7V0Z2GM047044; Tue, 31 Aug 2004 00:35:02 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7V0Z2EJ047040; Tue, 31 Aug 2004 00:35:02 GMT (envelope-from linimon) Date: Tue, 31 Aug 2004 00:35:02 GMT From: Mark Linimon Message-Id: <200408310035.i7V0Z2EJ047040@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/64694: [ipfw] UID/GID matching in ipfw non-functional X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2004 00:35:03 -0000 Synopsis: [ipfw] UID/GID matching in ipfw non-functional Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Aug 31 00:34:31 GMT 2004 Responsible-Changed-Why: Over to ipfw mailing list to track progress. http://www.freebsd.org/cgi/query-pr.cgi?pr=64694 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 31 00:35:44 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7015B16A4CF; Tue, 31 Aug 2004 00:35:44 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 524CC43D1D; Tue, 31 Aug 2004 00:35:44 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) i7V0Zihf047091; Tue, 31 Aug 2004 00:35:44 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i7V0Zi1v047087; Tue, 31 Aug 2004 00:35:44 GMT (envelope-from linimon) Date: Tue, 31 Aug 2004 00:35:44 GMT From: Mark Linimon Message-Id: <200408310035.i7V0Zi1v047087@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/69963: ipfw: install_state warning about already existing entry X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2004 00:35:44 -0000 Synopsis: ipfw: install_state warning about already existing entry Responsible-Changed-From-To: freebsd-bugs->ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Aug 31 00:35:26 GMT 2004 Responsible-Changed-Why: Over to mailing list. http://www.freebsd.org/cgi/query-pr.cgi?pr=69963 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 31 06:11:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE4B916A4CE for ; Tue, 31 Aug 2004 06:11:43 +0000 (GMT) Received: from daemon.kr.FreeBSD.org (www.kr.freebsd.org [211.115.73.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 436D543D3F for ; Tue, 31 Aug 2004 06:11:43 +0000 (GMT) (envelope-from cjh@kr.FreeBSD.org) Received: from localhost (localhost [127.0.0.1]) by daemon.kr.FreeBSD.org (Postfix) with ESMTP id DF50D1A72A for ; Tue, 31 Aug 2004 15:11:38 +0900 (KST) Received: from daemon.kr.FreeBSD.org ([127.0.0.1]) by localhost (daemon.kr.freebsd.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97072-03 for ; Tue, 31 Aug 2004 15:11:37 +0900 (KST) Received: from localhost (gradius [211.44.63.164]) by daemon.kr.FreeBSD.org (Postfix) with ESMTP id ECBF51A73E for ; Tue, 31 Aug 2004 15:11:32 +0900 (KST) Date: Tue, 31 Aug 2004 15:11:34 +0900 (KST) Message-Id: <20040831.151134.104128692.cjh@kr.FreeBSD.org> To: ipfw@freebsd.org From: CHOI Junho Organization: Korea FreeBSD Users Group X-URL: http://www.kr.FreeBSD.org/~cjh X-Mailer: Mew version 4.0.68 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at kr.FreeBSD.org Subject: packet per second limit? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2004 06:11:43 -0000 Hi, Is there any method for limiting/measuring PPS(packet per seconds) using ipfw? I am using ipfw+bridge in FreeBSD 5.2.1-p9. -- CHOI Junho KFUG FreeBSD Project Web Data Bank Key fingerprint = 1369 7374 A45F F41A F3C0 07E3 4A01 C020 E602 60F5 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 31 13:33:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E5C6D16A4CE for ; Tue, 31 Aug 2004 13:33:14 +0000 (GMT) Received: from iscan1.intra.oki.co.jp (okigate.oki.co.jp [202.226.91.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 633AF43D39 for ; Tue, 31 Aug 2004 13:33:13 +0000 (GMT) (envelope-from yamamoto436@oki.com) Received: from aoi.bmc.oki.co.jp (localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id WAA18099 for ; Tue, 31 Aug 2004 22:33:11 +0900 Received: (qmail 8180 invoked from network); 31 Aug 2004 22:33:10 +0900 Received: from tulip.bmc.oki.co.jp (172.19.234.100) by aoi.bmc.oki.co.jp with SMTP; 31 Aug 2004 22:33:10 +0900 Received: from localhost (tulip [172.19.234.100]) by tulip.bmc.oki.co.jp (8.12.11/8.12.11) with ESMTP id i7VDX9ga034704; Tue, 31 Aug 2004 22:33:09 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Tue, 31 Aug 2004 22:33:08 +0900 (JST) Message-Id: <20040831.223308.74718517.yamamoto436@oki.com> To: freebsd-ipfw@freebsd.org From: Hideki Yamamoto X-Mailer: Mew version 3.3 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: taniguti634@oki.com Subject: gif + ipfw + dummynet for IPv6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2004 13:33:15 -0000 Hi, I am trying to build test environment for IPv6 enable terminal by using of several FreeBSD boxes as follows: {server]----[FreeBSD box]----[FreeBSD box]---[Term] We plan to use gif interface to transfer IPv6 packet and shape the trafic by dummynet on IPv4 interface of FreeBSD box. Before building the environment and testing, I would like to search for information about feasibility of this test. I appreciate if anyone try this type of test environment and inform us of the experience. Best regards, Hideki Yamamoto From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 31 16:48:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BBC316A4CE for ; Tue, 31 Aug 2004 16:48:59 +0000 (GMT) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1263543D39 for ; Tue, 31 Aug 2004 16:48:59 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin02-en2 [10.13.10.147]) by smtpout.mac.com (8.12.6/MantshX 2.0) with ESMTP id i7VGmwOo023810; Tue, 31 Aug 2004 09:48:58 -0700 (PDT) Received: from [192.168.1.6] (pool-68-160-193-218.ny325.east.verizon.net [68.160.193.218]) (authenticated bits=0)i7VGmKki011395; Tue, 31 Aug 2004 09:48:27 -0700 (PDT) In-Reply-To: <20040831.151134.104128692.cjh@kr.FreeBSD.org> References: <20040831.151134.104128692.cjh@kr.FreeBSD.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <8B4BF72F-FB6D-11D8-B6F3-003065A20588@mac.com> Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 31 Aug 2004 12:48:11 -0400 To: CHOI Junho X-Mailer: Apple Mail (2.619) cc: ipfw@freebsd.org Subject: Re: packet per second limit? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Aug 2004 16:48:59 -0000 On Aug 31, 2004, at 2:11 AM, CHOI Junho wrote: > Is there any method for limiting/measuring PPS(packet per seconds) > using ipfw? I am using ipfw+bridge in FreeBSD 5.2.1-p9. ipfw -a list will show packet and byte counts; look at the output twice over a known time interval, and divide the delta by the length of the interval in seconds. For bandwidth management, see "man dummynet". -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 2 19:29:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DAF516A4CE for ; Thu, 2 Sep 2004 19:29:30 +0000 (GMT) Received: from motgate8.mot.com (motgate8.mot.com [129.188.136.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6C5D43D48 for ; Thu, 2 Sep 2004 19:29:29 +0000 (GMT) (envelope-from BFONDJO1@motorola.com) Received: from il06exr03.mot.com (il06exr03.mot.com [129.188.137.133]) by motgate8.mot.com (Motorola/Motgate8) with ESMTP id i82JUWF7012562 for ; Thu, 2 Sep 2004 12:30:32 -0700 (MST) Received: from il27exm01.cig.mot.com (il27exm01.cig.mot.com [10.17.193.2]) by il06exr03.mot.com (Motorola/il06exr03) with ESMTP id i82JTSPN024064 for ; Thu, 2 Sep 2004 14:29:28 -0500 Received: by il27exm01.cig.mot.com with Internet Mail Service (5.5.2657.72) id ; Thu, 2 Sep 2004 14:29:27 -0500 Message-ID: <3B68BAA54B9CD711A84B00065BF3B5F60BD42C99@il27exm01.cig.mot.com> From: Fondjo Bertrand-BFONDJO1 To: "'freebsd-ipfw@freebsd.org'" Date: Thu, 2 Sep 2004 14:29:24 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ipfw command not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 19:29:30 -0000 Hello Folks, When I try to use the ipfw command to configure a pipe for example: " ipfw add pipe 1 icmp from any to any", I am getting this error: "getsockopt(IP_FW_ADD) : Protocol not available". Can somebody help with this, please? I can't configure a pipe either. It seems a I am missing something in my free bsd. I am using free bsd 5.2. Please help. Bertrand Fondjo From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 2 20:03:30 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A427716A4CE for ; Thu, 2 Sep 2004 20:03:30 +0000 (GMT) Received: from tigra.ip.net.ua (tigra.ip.net.ua [82.193.96.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3DCC43D2F for ; Thu, 2 Sep 2004 20:03:29 +0000 (GMT) (envelope-from ru@ip.net.ua) Received: from heffalump.ip.net.ua (heffalump.ip.net.ua [82.193.96.213]) by tigra.ip.net.ua (8.12.11/8.12.11) with ESMTP id i82K3Po0070841 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Sep 2004 23:03:26 +0300 (EEST) (envelope-from ru@ip.net.ua) Received: (from ru@localhost) by heffalump.ip.net.ua (8.13.1/8.13.1) id i82K3PPF002946; Thu, 2 Sep 2004 23:03:25 +0300 (EEST) (envelope-from ru) Date: Thu, 2 Sep 2004 23:03:25 +0300 From: Ruslan Ermilov To: Fondjo Bertrand-BFONDJO1 Message-ID: <20040902200325.GD2671@ip.net.ua> References: <3B68BAA54B9CD711A84B00065BF3B5F60BD42C99@il27exm01.cig.mot.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZARJHfwaSJQLOEUz" Content-Disposition: inline In-Reply-To: <3B68BAA54B9CD711A84B00065BF3B5F60BD42C99@il27exm01.cig.mot.com> User-Agent: Mutt/1.5.6i X-Virus-Scanned: by amavisd-new cc: "'freebsd-ipfw@freebsd.org'" Subject: Re: ipfw command not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 20:03:30 -0000 --ZARJHfwaSJQLOEUz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 02, 2004 at 02:29:24PM -0500, Fondjo Bertrand-BFONDJO1 wrote: > Hello Folks, > When I try to use the ipfw command to configure a pipe for example: > " ipfw add pipe 1 icmp from any to any", I am getting this error: > "getsockopt(IP_FW_ADD) : Protocol not available". Can somebody > help with this, please? I can't configure a pipe either. It seems > a I am missing something in my free bsd. I am using free bsd 5.2. > =20 You're either missing the firewall support in the kernel (which can be dynamically loaded if needed), or your world and kernel are not in sync. Cheers, --=20 Ruslan Ermilov ru@FreeBSD.org FreeBSD committer --ZARJHfwaSJQLOEUz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBN3yNqRfpzJluFF4RAl6kAJ4g693c6GcEh0tBUJvAbrQCxBTUNwCfWSRd HoZJpLKneL2lH5RopI/KIfo= =wiQA -----END PGP SIGNATURE----- --ZARJHfwaSJQLOEUz-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 2 20:05:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 065EE16A4CE for ; Thu, 2 Sep 2004 20:05:12 +0000 (GMT) Received: from chello080110061116.502.15.vie.surfer.at (chello080110061116.502.15.vie.surfer.at [80.110.61.116]) by mx1.FreeBSD.org (Postfix) with SMTP id 8925B43D41 for ; Thu, 2 Sep 2004 20:05:10 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 6315 invoked from network); 2 Sep 2004 20:05:09 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 2 Sep 2004 20:05:09 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Thu, 2 Sep 2004 22:04:56 +0200 User-Agent: KMail/1.6.2 References: <3B68BAA54B9CD711A84B00065BF3B5F60BD42C99@il27exm01.cig.mot.com> In-Reply-To: <3B68BAA54B9CD711A84B00065BF3B5F60BD42C99@il27exm01.cig.mot.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_1z3NB3qMzVP+LE4"; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200409022205.09280.4711@chello.at> cc: Fondjo Bertrand-BFONDJO1 cc: "'freebsd-ipfw@freebsd.org'" Subject: Re: ipfw command not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 20:05:12 -0000 --Boundary-02=_1z3NB3qMzVP+LE4 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 02 September 2004 21:29, Fondjo Bertrand-BFONDJO1 wrote: > Hello Folks, > When I try to use the ipfw command to configure a pipe for example: " ipfw > add pipe 1 icmp from any to any", I am getting this error: > "getsockopt(IP_FW_ADD) : Protocol not available". Can somebody help with > this, please? I can't configure a pipe either. It seems a I am missing > something in my free bsd.=20 What you are probably missing is "options DUMMYNET" in your kernel config. = You=20 can find some more details on this in 'man 4 dummynet'.=20 Cheers, ch =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --Boundary-02=_1z3NB3qMzVP+LE4 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQBBN3z1cyi/EZQbawsRAj9SAKCous70Y/J9j3hLBhXTiwlm0V9awQCcCav7 2E094Pc2QWY6LHi4mtAg/+w= =PrWi -----END PGP SIGNATURE----- --Boundary-02=_1z3NB3qMzVP+LE4-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 2 20:05:12 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08F5B16A4CF for ; Thu, 2 Sep 2004 20:05:12 +0000 (GMT) Received: from chello080110061116.502.15.vie.surfer.at (chello080110061116.502.15.vie.surfer.at [80.110.61.116]) by mx1.FreeBSD.org (Postfix) with SMTP id 89F6743D53 for ; Thu, 2 Sep 2004 20:05:10 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 6315 invoked from network); 2 Sep 2004 20:05:09 -0000 Received: from matrix010.matrix.net (192.168.123.10) by ns.matrix.net with SMTP; 2 Sep 2004 20:05:09 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Thu, 2 Sep 2004 22:04:56 +0200 User-Agent: KMail/1.6.2 References: <3B68BAA54B9CD711A84B00065BF3B5F60BD42C99@il27exm01.cig.mot.com> In-Reply-To: <3B68BAA54B9CD711A84B00065BF3B5F60BD42C99@il27exm01.cig.mot.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_1z3NB3qMzVP+LE4"; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200409022205.09280.4711@chello.at> cc: Fondjo Bertrand-BFONDJO1 cc: "'freebsd-ipfw@freebsd.org'" Subject: Re: ipfw command not working X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 20:05:12 -0000 --Boundary-02=_1z3NB3qMzVP+LE4 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 02 September 2004 21:29, Fondjo Bertrand-BFONDJO1 wrote: > Hello Folks, > When I try to use the ipfw command to configure a pipe for example: " ipfw > add pipe 1 icmp from any to any", I am getting this error: > "getsockopt(IP_FW_ADD) : Protocol not available". Can somebody help with > this, please? I can't configure a pipe either. It seems a I am missing > something in my free bsd.=20 What you are probably missing is "options DUMMYNET" in your kernel config. = You=20 can find some more details on this in 'man 4 dummynet'.=20 Cheers, ch =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x941B6B0B=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --Boundary-02=_1z3NB3qMzVP+LE4 Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQBBN3z1cyi/EZQbawsRAj9SAKCous70Y/J9j3hLBhXTiwlm0V9awQCcCav7 2E094Pc2QWY6LHi4mtAg/+w= =PrWi -----END PGP SIGNATURE----- --Boundary-02=_1z3NB3qMzVP+LE4-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 3 09:25:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE64016A4CF for ; Fri, 3 Sep 2004 09:25:59 +0000 (GMT) Received: from nic.bme.hu (nic.bme.hu [152.66.115.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90B2243D3F for ; Fri, 3 Sep 2004 09:25:58 +0000 (GMT) (envelope-from kz365@hszk.bme.hu) Received: from viper (viper.tmit.bme.hu [152.66.244.227]) by nic.bme.hu (Postfix) with SMTP id DDA4727D3E for ; Fri, 3 Sep 2004 11:25:56 +0200 (CEST) Message-ID: <000501c49198$040c2da0$e3f44298@viper> From: =?iso-8859-2?Q?Kov=E1csh=E1zi_zsolt?= To: Date: Fri, 3 Sep 2004 11:25:54 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Dummynet IPv6 support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 09:25:59 -0000 Hi I've been reading the archive for nearly a week to find something about = dummynet's IPv6 support I've tried appl=EDying the patch but it doesn't compile=20 I get a lot of errors is there a working version of dummynet with IPv6 support? I'm using freeBSD 4.10 zsolt From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 3 10:49:50 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A632016A4CE for ; Fri, 3 Sep 2004 10:49:50 +0000 (GMT) Received: from web53703.mail.yahoo.com (web53703.mail.yahoo.com [206.190.37.24]) by mx1.FreeBSD.org (Postfix) with SMTP id 1E62D43D41 for ; Fri, 3 Sep 2004 10:49:50 +0000 (GMT) (envelope-from arisdr_99@yahoo.com) Message-ID: <20040903104949.46609.qmail@web53703.mail.yahoo.com> Received: from [152.118.24.3] by web53703.mail.yahoo.com via HTTP; Fri, 03 Sep 2004 11:49:49 BST Date: Fri, 3 Sep 2004 11:49:49 +0100 (BST) From: =?iso-8859-1?q?Aris=20Dwi=20Rahmana?= To: freebsd-ipfw@freebsd.org In-Reply-To: <000501c49198$040c2da0$e3f44298@viper> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: Dummynet IPv6 support X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 10:49:50 -0000 --- Kovácsházi_zsolt wrote: > Hi > > I've been reading the archive for nearly a week to find something about > dummynet's IPv6 support > I've tried applíying the patch but it doesn't compile > I get a lot of errors > > is there a working version of dummynet with IPv6 support? > > I'm using freeBSD 4.10 > > zsolt > _______________________________________________ I have tried compiling dummynet with IPv6 support and succed. I used patch from this link bellow : http://www.freebsd.org/cgi/getmsg.cgi?fetch=19434+107032+/usr/local/www/ db/text/2004/freebsd-ipfw/20040328.freebsd-ipfw Don't forget to add "IPFW2=YES" in /etc/make.conf and there is some minor change in ip_fw.h in order to make compiling proces works. You have to edit the file and change line contain "IF IPFW2" with "IF TRUE" (i am forget wich line is it, because my note is missing). Then just follow the instruction from Luigi Rizzo. After you compile IPFW2, don't forget to change line that you have change before (change line "IF TRUE" with "IF IPFW2" back again). Then use command "make install". FYI, i used freebsd 4.90 and installation only works in my pc with pentium 4 proccessor. I dont know why it doesn't work in my pc with pentium III or below. ________________________________________________________________________ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 3 19:00:41 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 313B616A4CE for ; Fri, 3 Sep 2004 19:00:41 +0000 (GMT) Received: from web40412.mail.yahoo.com (web40412.mail.yahoo.com [66.218.78.109]) by mx1.FreeBSD.org (Postfix) with SMTP id F225143D49 for ; Fri, 3 Sep 2004 19:00:40 +0000 (GMT) (envelope-from c0sine@yahoo.com) Message-ID: <20040903190040.58544.qmail@web40412.mail.yahoo.com> Received: from [67.71.253.163] by web40412.mail.yahoo.com via HTTP; Fri, 03 Sep 2004 12:00:40 PDT Date: Fri, 3 Sep 2004 12:00:40 -0700 (PDT) From: George S To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: fwd'ing packet originally destined to local interface problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 19:00:41 -0000 I am having some trouble with a specialized IDS testing framework I am working on. Here is my setup: -FreeBSD 5.2.1-release running with firewall options configured, bridging off, default to accept -fxp0: inet 10.0.0.50 netmask 255.255.255.0 -fxp1: inet 192.168.1.3 netmask 255.255.255.0 -default gateway 10.0.0.1 / no static-routes set -ipfw ruleset as follows: ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1 keep-state ipfw add 5 allow ip from any to any ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50 ipfw add 65536 allow ip from any to any When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the fxp1 interface, it is forwarded out of the fxp0 interface, as expected. When the response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however, rule #11 registers the packet by updating its counter, but the packet does not get written out on the fxp1 wire, as I would expect (or hope) it to! Is this a problem with the code or my ruleset or did I erroneously predict the resulting behaviour? Many thanks in advance for any help any guru here can provide. Kindest regards, George _______________________________ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 3 19:21:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 66D0516A4CE for ; Fri, 3 Sep 2004 19:21:00 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 949B143D58 for ; Fri, 3 Sep 2004 19:20:59 +0000 (GMT) (envelope-from jose@hostarica.com) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 0D254FBDD; Fri, 3 Sep 2004 13:27:06 -0600 (CST) Received: from [192.168.0.69] (unknown [192.168.0.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.hostarica.com (Postfix) with ESMTP id C305FFBDC; Fri, 3 Sep 2004 13:27:04 -0600 (CST) From: Jose Hidalgo Herrera To: George S In-Reply-To: <20040903190040.58544.qmail@web40412.mail.yahoo.com> References: <20040903190040.58544.qmail@web40412.mail.yahoo.com> Organization: Corp. Hosta Rica Message-Id: <1094239257.95873.1.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Fri, 03 Sep 2004 13:20:57 -0600 X-Virus-Scanned: by amavisd 0.1 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-ipfw@freebsd.org cc: jose@hostarica.com Subject: Re: fwd'ing packet originally destined to local interface problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 19:21:00 -0000 I think you need: ipfw add 1 check-state ipfw add 2 skipto 10 ........ On Fri, 2004-09-03 at 13:00, George S wrote: > I am having some trouble with a specialized IDS testing framework I am > working on. > > Here is my setup: > -FreeBSD 5.2.1-release running with firewall options configured, bridging > off, default to accept > -fxp0: inet 10.0.0.50 netmask 255.255.255.0 > -fxp1: inet 192.168.1.3 netmask 255.255.255.0 > -default gateway 10.0.0.1 / no static-routes set > -ipfw ruleset as follows: > ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1 keep-state > ipfw add 5 allow ip from any to any > ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any > ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50 > ipfw add 65536 allow ip from any to any > > When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the fxp1 > interface, it is forwarded out of the fxp0 interface, as expected. When the > response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however, rule > #11 registers the packet by updating its counter, but the packet does not > get written out on the fxp1 wire, as I would expect (or hope) it to! > > Is this a problem with the code or my ruleset or did I erroneously predict > the resulting behaviour? > > Many thanks in advance for any help any guru here can provide. > > Kindest regards, > > George > > > > _______________________________ > Do you Yahoo!? > Win 1 of 4,000 free domain names from Yahoo! Enter now. > http://promotions.yahoo.com/goldrush > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Jose Hidalgo Herrera Corp. Hosta Rica From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 3 20:44:38 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 242DB16A4CE for ; Fri, 3 Sep 2004 20:44:38 +0000 (GMT) Received: from web40410.mail.yahoo.com (web40410.mail.yahoo.com [66.218.78.107]) by mx1.FreeBSD.org (Postfix) with SMTP id 127E443D46 for ; Fri, 3 Sep 2004 20:44:38 +0000 (GMT) (envelope-from c0sine@yahoo.com) Message-ID: <20040903204437.1850.qmail@web40410.mail.yahoo.com> Received: from [67.71.253.163] by web40410.mail.yahoo.com via HTTP; Fri, 03 Sep 2004 13:44:37 PDT Date: Fri, 3 Sep 2004 13:44:37 -0700 (PDT) From: George S To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: fwd'ing packet originally destined to local interface problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 20:44:38 -0000 Hi, Thank you for the suggestion, but that didn't make any difference, which is consistent with the docs "If no check-state rule is found, the dynamic rule-set is checked at the first keep-state or limit rule" (in my case, rule #1). My dynamic rule set is checked on rule #1 and that causes a skipto 10, where the next matching rule is #11. The packet count is updated, but *i do not see the packet coming out the fxp1 interface*. Any other suggestions? George >I think you need: >ipfw add 1 check-state >ipfw add 2 skipto 10 ........ > > >On Fri, 2004-09-03 at 13:00, George S wrote: > >> I am having some trouble with a specialized IDS testing framework I am >> working on. >> >> Here is my setup: >> -FreeBSD 5.2.1-release running with firewall options configured, bridging >> off, default to accept >> -fxp0: inet 10.0.0.50 netmask 255.255.255.0 >> -fxp1: inet 192.168.1.3 netmask 255.255.255.0 >> -default gateway 10.0.0.1 / no static-routes set >> -ipfw ruleset as follows: >> ipfw add 1 skipto 10 tcp from 10.0.0.50 to any setup recv fxp1 keep-state >> ipfw add 5 allow ip from any to any >> ipfw add 10 fwd 10.0.0.1 tcp from 10.0.0.50 to any >> ipfw add 11 fwd 192.168.1.2 tcp from any to 10.0.0.50 >> ipfw add 65536 allow ip from any to any >> >> When a custom packet (with src ip 10.0.0.50 and SYN bit) arrives at the fxp1 >> interface, it is forwarded out of the fxp0 interface, as expected. When the >> response (with dst ip 10.0.0.50 and SYN+ACK) arrives on fxp0 however, rule >> #11 registers the packet by updating its counter, but the packet does not >> get written out on the fxp1 wire, as I would expect (or hope) it to! >> >> Is this a problem with the code or my ruleset or did I erroneously predict >> the resulting behaviour? >> >> Many thanks in advance for any help any guru here can provide. >> >> Kindest regards, >> >> George >> > >-- >Jose Hidalgo Herrera >Corp. Hosta Rica __________________________________ Do you Yahoo!? Yahoo! Mail is new and improved - Check it out! http://promotions.yahoo.com/new_mail From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 3 21:50:51 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4284116A4CE; Fri, 3 Sep 2004 21:50:51 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2F9B43D1F; Fri, 3 Sep 2004 21:50:50 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id i83LpbUg031209; Fri, 3 Sep 2004 14:51:37 -0700 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id i83LpbTV031208; Fri, 3 Sep 2004 14:51:37 -0700 Date: Fri, 3 Sep 2004 14:51:37 -0700 From: Brooks Davis To: freebsd-ipfw@freebsd.org Message-ID: <20040903215137.GA26762@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: andre@freebsd.org Subject: ipfw2 for IPV6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Sep 2004 21:50:51 -0000 --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm working on updating the IPFW2 for IPv6 patch Luigi posted back in April. I've got it partially working with pfil, but I've run into some issues with linklocal addresses and dummynet6. Inbound rules work fine, but output rules do not because the route struct is not carried in to the pfil hook and thus the output interface is lost. I'm looking for comments on the best way to solve this problem. I don't know IPv6 all that well, so I'm not sure what to propose. The work is being done in perforce at: //depot/user/brooks/dummynet6 I've included a patch against current below. Be aware that you must run with debug.mpsafenet=3D0 if you want to try IPv6 output rules. The current code doesn't handle the case where the firewall changes the destination, but modulo bugs, we are probably at feature parity with ip6fw. -- Brooks Changed files: sbin/ipfw/ipfw2.c sys/netinet/ip_dummynet.c sys/netinet/ip_dummynet.h sys/netinet/ip_fw.h sys/netinet/ip_fw2.c sys/netinet/ip_fw_pfil.c --- ../cleanup/sbin/ipfw/ipfw2.c Wed Sep 1 08:01:19 2004 +++ sbin/ipfw/ipfw2.c Thu Sep 2 16:40:48 2004 @@ -45,10 +45,12 @@ #include =20 #include +#include /* def. of struct route */ #include #include #include #include +#include #include #include #include @@ -253,6 +255,13 @@ TOK_DROPTAIL, TOK_PROTO, TOK_WEIGHT, + + TOK_IPV6, + TOK_FLOWID, + TOK_ICMP6TYPES, + TOK_EXT6HDR, + TOK_DSTIP6, + TOK_SRCIP6, }; =20 struct _s_x dummynet_params[] =3D { @@ -275,6 +284,13 @@ { "delay", TOK_DELAY }, { "pipe", TOK_PIPE }, { "queue", TOK_QUEUE }, + + { "flow-id", TOK_FLOWID}, + { "dst-ipv6", TOK_DSTIP6}, + { "dst-ip6", TOK_DSTIP6}, + { "src-ipv6", TOK_SRCIP6}, + { "src-ip6", TOK_SRCIP6}, + { "dummynet-params", TOK_NULL }, { NULL, 0 } /* terminator */ }; @@ -299,6 +315,7 @@ { "unreach", TOK_UNREACH }, { "check-state", TOK_CHECKSTATE }, { "//", TOK_COMMENT }, + { NULL, 0 } /* terminator */ }; =20 @@ -352,6 +369,16 @@ { "ipsec", TOK_IPSEC }, { "//", TOK_COMMENT }, =20 + { "icmp6type", TOK_ICMP6TYPES }, + { "icmp6types", TOK_ICMP6TYPES }, + { "ext6hdr", TOK_EXT6HDR}, + { "flow-id", TOK_FLOWID}, + { "ipv6", TOK_IPV6}, + { "dst-ipv6", TOK_DSTIP6}, + { "dst-ip6", TOK_DSTIP6}, + { "src-ipv6", TOK_SRCIP6}, + { "src-ip6", TOK_SRCIP6}, + { "not", TOK_NOT }, /* pseudo option */ { "!", /* escape ? */ TOK_NOT }, /* pseudo option */ { "or", TOK_OR }, /* pseudo option */ @@ -848,6 +875,196 @@ } } =20 +/* XXX ipv6 stuff */ +/*=20 + * Print the ip address contained in a command. + */ +static void +print_ip6(ipfw_insn_ip6 *cmd, char const *s) +{ + struct hostent *he =3D NULL; + int len =3D F_LEN((ipfw_insn *) cmd) - 1; + struct in6_addr *a =3D &(cmd->addr6); + char trad[255]; + + printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s); + + if (cmd->o.opcode =3D=3D O_IP6_SRC_ME || cmd->o.opcode =3D=3D O_IP6= _DST_ME) { + printf("me6"); + return; + } + if (cmd->o.opcode =3D=3D O_IP6) { + printf(" ipv6"); + return; + } + + /* + * len =3D=3D 4 indicates a single IP, whereas lists of 1 or more + * addr/mask pairs have len =3D (2n+1). We convert len to n so we + * use that to count the number of entries. + */ + + for (len =3D len / 4; len > 0; len -=3D 2, a +=3D 2) { + int mb =3D /* mask length */ + (cmd->o.opcode =3D=3D O_IP6_SRC || cmd->o.opcode =3D=3D O_I= P6_DST) ? + 128 : contigmask((uint8_t *)&(a[1]), 128); + + if (mb =3D=3D 128 && do_resolv) + he =3D gethostbyaddr((char *)a, sizeof(*a), AF_INET6); + if (he !=3D NULL) /* resolved to name */ + printf("%s", he->h_name); + else if (mb =3D=3D 0) /* any */ + printf("any"); + else { /* numeric IP followed by some kind of mask */ + if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) =3D=3D N= ULL) + printf("Error ntop in print_ip6\n"); + printf("%s", trad ); + if (mb < 0) /* XXX not really legal... */ + printf(":%s", + inet_ntop(AF_INET6, &a[1], trad, sizeof(trad))); + else if (mb < 128) + printf("/%d", mb); + } + if (len > 2) + printf(","); + } +} + +static void +fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av) +{ + uint8_t type; + + cmd->d[0] =3D 0; + while (*av) { + if (*av =3D=3D ',') + av++; + type =3D strtoul(av, &av, 0); + if (*av !=3D ',' && *av !=3D '\0') + errx(EX_DATAERR, "invalid ICMP6 type"); + if (type > ICMP6_MAXTYPE) + errx(EX_DATAERR, "ICMP6 type out of range"); + cmd->d[type / 32] |=3D ( 1 << (type % 32)); + } + cmd->o.opcode =3D O_ICMP6TYPE; + cmd->o.len |=3D F_INSN_SIZE(ipfw_insn_icmp6); +} + + +static void +print_icmp6types(ipfw_insn_u32 *cmd) +{ + int i, j; + char sep=3D ' '; + + printf(" ipv6 icmp6types"); + for (i =3D 0; i < 7; i++) + for (j=3D0; j < 32; ++j) { + if ( (cmd->d[i] & (1 << (j))) =3D=3D 0) + continue; + printf("%c%d", sep, (i*32 + j)); + sep =3D ','; + } +} + +static void +print_flow6id( ipfw_insn_u32 *cmd) +{ + uint16_t i, limit =3D cmd->o.arg1; + char sep =3D ','; + + printf(" flow-id "); + for( i=3D0; i < limit; ++i) { + if (i =3D=3D limit - 1) + sep =3D ' '; + printf("%d%c", cmd->d[i], sep); + } +} + +/* structure and define for the extension header in ipv6 */ +static struct _s_x ext6hdrcodes[] =3D { + { "frag", EXT_FRAGMENT }, + { "hopopt", EXT_HOPOPTS }, + { "route", EXT_ROUTING }, + { "ah", EXT_AH }, + { "esp", EXT_ESP }, + { NULL, 0 } +}; + +/* fills command for the extension header filtering */ +int +fill_ext6hdr( ipfw_insn *cmd, char *av) +{ + int tok; + char *s =3D av; + + cmd->arg1 =3D 0; + + while(s) { + av =3D strsep( &s, ",") ; + tok =3D match_token(ext6hdrcodes, av); + switch (tok) { + case EXT_FRAGMENT: + cmd->arg1 |=3D EXT_FRAGMENT; + break; + + case EXT_HOPOPTS: + cmd->arg1 |=3D EXT_HOPOPTS; + break; + + case EXT_ROUTING: + cmd->arg1 |=3D EXT_ROUTING; + break; + + case EXT_AH: + cmd->arg1 |=3D EXT_AH; + break; + + case EXT_ESP: + cmd->arg1 |=3D EXT_ESP; + break; + + default: + errx( EX_DATAERR, "invalid option for ipv6 exten headear" ); + break; + } + } + if (cmd->arg1 =3D=3D 0 ) + return 0; + cmd->opcode =3D O_EXT_HDR; + cmd->len |=3D F_INSN_SIZE( ipfw_insn ); + return 1; +} + +void +print_ext6hdr( ipfw_insn *cmd ) +{ + char sep =3D ' '; + + printf(" extension header:"); + if (cmd->arg1 & EXT_FRAGMENT ) { + printf("%cfragmentation", sep); + sep =3D ','; + } + if (cmd->arg1 & EXT_HOPOPTS ) { + printf("%chop options", sep); + sep =3D ','; + } + if (cmd->arg1 & EXT_ROUTING ) { + printf("%crouting options", sep); + sep =3D ','; + } + if (cmd->arg1 & EXT_AH ) { + printf("%cauthentication header", sep); + sep =3D ','; + } + if (cmd->arg1 & EXT_ESP ) { + printf("%cencapsulated security payload", sep); + } +} + +/* XXX end of ipv6 stuff */ + /* * show_ipfw() prints the body of an ipfw rule. * Because the standard rule has at least proto src_ip dst_ip, we use @@ -866,6 +1083,7 @@ #define HAVE_DSTIP 0x0004 #define HAVE_MAC 0x0008 #define HAVE_MACTYPE 0x0010 +#define HAVE_PROTO6 0x0080 #define HAVE_OPTIONS 0x8000 =20 #define HAVE_IP (HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP) @@ -888,6 +1106,9 @@ return; } if ( !(*flags & HAVE_OPTIONS)) { + /* XXX: This is what the patch has, but shouldn't that be PROTO6? */ + if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO6)) + printf(" ipv6"); if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO)) printf(" ip"); if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP)) @@ -1130,6 +1351,37 @@ flags |=3D HAVE_DSTIP; break; =20 + case O_IP6_SRC: + case O_IP6_SRC_MASK: + case O_IP6_SRC_ME: + show_prerequisites(&flags, HAVE_PROTO6, 0); + if (!(flags & HAVE_SRCIP)) + printf(" from"); + if ((cmd->len & F_OR) && !or_block) + printf(" {"); + print_ip6((ipfw_insn_ip6 *)cmd, + (flags & HAVE_OPTIONS) ? " src-ip6" : ""); + flags |=3D HAVE_SRCIP | HAVE_PROTO; + break; + + case O_IP6_DST: + case O_IP6_DST_MASK: + case O_IP6_DST_ME: + show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0); + if (!(flags & HAVE_DSTIP)) + printf(" to"); + if ((cmd->len & F_OR) && !or_block) + printf(" {"); + print_ip6((ipfw_insn_ip6 *)cmd, + (flags & HAVE_OPTIONS) ? " dst-ip6" : ""); + flags |=3D HAVE_DSTIP; + break; + + case O_FLOW6ID: + print_flow6id( (ipfw_insn_u32 *) cmd ); + flags |=3D HAVE_OPTIONS; + break; + case O_IP_DSTPORT: show_prerequisites(&flags, HAVE_IP, 0); case O_IP_SRCPORT: @@ -1141,14 +1393,15 @@ break; =20 case O_PROTO: { - struct protoent *pe; + struct protoent *pe =3D NULL; =20 if ((cmd->len & F_OR) && !or_block) printf(" {"); if (cmd->len & F_NOT) printf(" not"); proto =3D cmd->arg1; - pe =3D getprotobynumber(cmd->arg1); + if (proto !=3D 41) /* XXX: ipv6 is special */ + pe =3D getprotobynumber(cmd->arg1); if (flags & HAVE_OPTIONS) printf(" proto"); if (pe) @@ -1332,6 +1585,18 @@ } break; =20 + case O_IP6: + printf(" ipv6"); + break; + + case O_ICMP6TYPE: + print_icmp6types((ipfw_insn_u32 *)cmd); + break; + + case O_EXT_HDR: + print_ext6hdr( (ipfw_insn *) cmd ); + break; + default: printf(" [opcode %d len %d]", cmd->opcode, cmd->len); @@ -1428,42 +1693,104 @@ static void list_queues(struct dn_flow_set *fs, struct dn_flow_queue *q) { - int l; + int l, index_print =3D 0; + char buff[255]; =20 - printf(" mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n", - fs->flow_mask.proto, - fs->flow_mask.src_ip, fs->flow_mask.src_port, - fs->flow_mask.dst_ip, fs->flow_mask.dst_port); if (fs->rq_elements =3D=3D 0) return; =20 - printf("BKT Prot ___Source IP/port____ " - "____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp\n"); if (do_sort !=3D 0) heapsort(q, fs->rq_elements, sizeof *q, sort_q); + + /* + * Do IPv4 stuff + */ for (l =3D 0; l < fs->rq_elements; l++) { - struct in_addr ina; - struct protoent *pe; + if (!IS_IP6_FLOW_ID(&(q[l].id))) { + struct in_addr ina; + struct protoent *pe; =20 - ina.s_addr =3D htonl(q[l].id.src_ip); - printf("%3d ", q[l].hash_slot); - pe =3D getprotobynumber(q[l].id.proto); - if (pe) - printf("%-4s ", pe->p_name); - else - printf("%4u ", q[l].id.proto); - printf("%15s/%-5d ", - inet_ntoa(ina), q[l].id.src_port); - ina.s_addr =3D htonl(q[l].id.dst_ip); - printf("%15s/%-5d ", - inet_ntoa(ina), q[l].id.dst_port); - printf("%4qu %8qu %2u %4u %3u\n", - q[l].tot_pkts, q[l].tot_bytes, - q[l].len, q[l].len_bytes, q[l].drops); - if (verbose) - printf(" S %20qd F %20qd\n", - q[l].S, q[l].F); + if (!index_print) { + index_print =3D 1; + printf("\n mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n", + fs->flow_mask.proto, + fs->flow_mask.src_ip, + fs->flow_mask.src_port, + fs->flow_mask.dst_ip, + fs->flow_mask.dst_port); + printf(" BKT Prot ___Source IP/port____ " + "____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp\n"); + } + printf(" %3d ", q[l].hash_slot); + + pe =3D getprotobynumber(q[l].id.proto); + if (pe) + printf("%-4s ", pe->p_name); + else + printf("%4u ", q[l].id.proto); + ina.s_addr =3D htonl(q[l].id.src_ip); + printf("%15s/%-5d ", + inet_ntoa(ina), q[l].id.src_port); + ina.s_addr =3D htonl(q[l].id.dst_ip); + printf("%15s/%-5d ", + inet_ntoa(ina), q[l].id.dst_port); + printf("%4qu %8qu %2u %4u %3u\n", + q[l].tot_pkts, q[l].tot_bytes, + q[l].len, q[l].len_bytes, q[l].drops); + if (verbose) + printf(" S %20qd F %20qd\n", + q[l].S, q[l].F); + } + } + =09 + /* + * Do IPv6 stuff + */ + + index_print =3D 0; + for (l =3D 0; l < fs->rq_elements; l++) { + if (IS_IP6_FLOW_ID(&(q[l].id))) { + struct protoent *pe; + + if (!index_print) { + index_print =3D 1; + printf("\n mask: proto: 0x%02x, flow_id: 0x%08x, ", + fs->flow_mask.proto, fs->flow_mask.flow_id6 ); + inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6), + buff, sizeof(buff) ); + printf("%s/0x%04x -> ", buff, fs->flow_mask.src_port); + inet_ntop( AF_INET6, &(fs->flow_mask.dst_ip6), + buff, sizeof(buff) ); + printf("%s/0x%04x\n", buff, fs->flow_mask.dst_port); + + printf(" BKT ___Prot___ _flow-id_ " + "______________Source IPv6/port_______________ " + "_______________Dest. IPv6/port_______________ " + "Tot_pkt/bytes Pkt/Byte Drp\n"); + } + printf(" %3d ", q[l].hash_slot); + pe =3D getprotobynumber(q[l].id.proto); + if (pe) + printf("%9s ", pe->p_name); + else + printf("%9u ", q[l].id.proto); + printf("%7d %39s/%-5d ", q[l].id.flow_id6, + inet_ntop(AF_INET6, &(q[l].id.src_ip6), + buff, sizeof(buff)), + q[l].id.src_port); + printf(" %39s/%-5d ", + inet_ntop(AF_INET6, &(q[l].id.dst_ip6), + buff, sizeof(buff)), + q[l].id.dst_port); + printf(" %4qu %8qu %2u %4u %3u\n", + q[l].tot_pkts, q[l].tot_bytes, + q[l].len, q[l].len_bytes, q[l].drops); + if (verbose) + printf(" S %20qd F %20qd\n", + q[l].S, q[l].F); + } } + printf("\n"); } =20 static void @@ -1852,7 +2179,7 @@ if (do_dynamic && ndyn) { printf("## Dynamic rules:\n"); for (lac =3D ac, lav =3D av; lac !=3D 0; lac--) { - rnum =3D strtoul(*lav++, &endptr, 10); + last =3D rnum =3D strtoul(*lav++, &endptr, 10); if (*endptr =3D=3D '-') last =3D strtoul(endptr+1, &endptr, 10); if (*endptr) @@ -1905,17 +2232,22 @@ "ACTION: check-state | allow | count | deny | reject | skipto N |\n" " {divert|tee} PORT | forward ADDR | pipe N | queue N\n" "ADDR: [ MAC dst src ether_type ] \n" -" [ from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n" +" [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n" +" [ ipv6 from IP6ADDR [ PORT ] to IP6ADDR [ PORTLIST ] ]\n" "IPADDR: [not] { any | me | ip/bits{x,y,z} | table(t[,v]) | IPLIST }\n" "IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]\n" +"IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST }\n" +"IP6LIST: { ip6 | ip6/bits }[,IP6LIST]\n" "OPTION_LIST: OPTION [OPTION_LIST]\n" -"OPTION: bridged | {dst-ip|src-ip} ADDR | {dst-port|src-port} LIST |\n" +"OPTION: bridged | {dst-ip|src-ip} IPADDR | {dst-port|src-port} LIST |\n" " estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n" " iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n" " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" -" verrevpath | versrcreach | antispoof\n" +" verrevpath | icmp6types LIST | ext6hdr LIST |\n" +" {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n" +" flow-id N[,N]\n" ); exit(0); } @@ -2124,6 +2456,227 @@ cmd->o.len |=3D len+1; } =20 +/* XXX more ipv6 stuff */ +/* Try to find ipv6 address by hostname */ +static int +lookup_host6 (char *host, struct in6_addr *ip6addr) +{ + struct hostent *he; + + if (!inet_pton(AF_INET6, host, ip6addr)) { + if ((he =3D gethostbyname2(host, AF_INET6)) =3D=3D NULL) + return(-1); + memcpy( ip6addr, he->h_addr_list[0], sizeof( struct in6_add= r)); + } + return(0); +} + +/* n2mask sets n bits of the mask */ + +static void +n2mask(struct in6_addr *mask, int n) +{ + static int minimask[9] =3D { + 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff + }; + u_char *p; + int i; + + memset(mask, 0, sizeof(struct in6_addr)); + p =3D (u_char *) mask; + for (i =3D 0; i < 16; i++, p++, n -=3D 8) { + if (n >=3D 8) { + *p =3D 0xff; + continue; + } + *p =3D minimask[n]; + break; + } + return; +} + =20 +/* + * fills the addr and mask fields in the instruction as appropriate from a= v. + * Update length as appropriate. + * The following formats are allowed: + * any matches any IP6. Actually returns an empty instruction. + * me returns O_IP6_*_ME + * + * 03f1::234:123:0342 single IP6 addres + * 03f1::234:123:0342/24 address/mask + * 03f1::234:123:0342/24,03f1::234:123:0343/ List of add= ress + * + * Set of address (as in ipv6) not supported because ipv6 address + * are typically random past the initial prefix. + * Return 1 on success, 0 on failure. + */ + +static int +fill_ip6(ipfw_insn_ip6 *cmd, char *av) +{ + int len =3D 0; + struct in6_addr *d =3D &(cmd->addr6); + /* Needed for multiple address. + * Note d[1] points to struct in6_add r mask6 of cmd + */ + + cmd->o.len &=3D ~F_LEN_MASK; /* zero len */ + + if (!strncmp(av, "any", strlen(av))) + return 1; + + + if (!strncmp(av, "me", strlen(av))) { /* Set the data for "me" op= t*/ + cmd->o.len |=3D F_INSN_SIZE(ipfw_insn); + return 1; + } + if (!strncmp(av, "me6", strlen(av))) { /* Set the data for "me" op= t*/ + cmd->o.len |=3D F_INSN_SIZE(ipfw_insn); + return 1; + } + + av =3D strdup(av); + while (av) { + /* + * After the address we can have '/' indicating a mask, + * or ',' indicating another address follows. + */ + + char *p; + int masklen; + char md =3D '\0'; + + if ((p =3D strpbrk( av, "/,")) ) { + md =3D *p; /* save the separator */ + *p =3D '\0'; /* terminate address string */ + p++; /* and skip past it */ + } + /* now p points to NULL, mask or next entry */ + + /* lookup stores address in *d as a side effect */ + if (lookup_host6(av, d) !=3D 0) { + /* failed. Free memory and go */ + errx(EX_DATAERR, "bad address \"%s\"", av); + } + /* next, look at the mask, if any */ + masklen =3D (md =3D=3D '/') ? atoi(p) : 128; + if (masklen > 128 || masklen < 0) + errx(EX_DATAERR, "bad width \"%s\''", p); + else + n2mask( &d[1], masklen); + + APPLY_MASK( d, &d[1]) /* mask base address with mask */ + + /* find next separator */ + + if (md =3D=3D '/') { /* find separator past the mask= */ + p =3D strpbrk(p, ","); + if (p) + p++; + } + av =3D p; + + /* Check this entry */ + if (masklen =3D=3D 0) { + /* + * 'any' turns the entire list into a NOP. + * 'not any' never matches, so it is removed from the + * list unless it is the only item, in which case we + * report an error. + */ + if (cmd->o.len & F_NOT) { /* "not any" never matches */ + if (av =3D=3D NULL && len =3D=3D 0) /* only this en= try */ + errx(EX_DATAERR, "not any never matches"); + } + /* else do nothing and skip this entry */ + continue; + } + + /* + * A single IP can be stored alone + */ + if (masklen =3D=3D 128 && av =3D=3D NULL && len =3D=3D 0) { + len =3D F_INSN_SIZE(struct in6_addr); + break; + } + + /* Update length and pointer to arguments */ + len +=3D F_INSN_SIZE(struct in6_addr)*2; + d +=3D 2; + } /* end while */ + + /* Total lenght of the command, remember that 1 is the size of the = base command */ + cmd->o.len |=3D len+1; + free(av); + return 1; +} + +/* + * fills command for ipv6 flow-id filtering + * note that the 20 bit flow number is stored in a array of u_int32_t + * it's supported lists of flow-id, so in the o.arg1 we store how many + * additional flow-id we want to filter, the basic is 1 + */ +void +fill_flow6( ipfw_insn_u32 *cmd, char *av ) +{ + u_int32_t type; /* Current flow number */ + u_int16_t nflow =3D 0; /* Current flow index */ + char *s =3D av; + cmd->d[0] =3D 0; /* Initializing the base number*/ + + while (s) { + av =3D strsep( &s, ",") ; + type =3D strtoul(av, &av, 0); + if (*av !=3D ',' && *av !=3D '\0') + errx(EX_DATAERR, "invalid ipv6 flow number %s", av); + if (type > 0xfffff) + errx(EX_DATAERR, "flow number out of range %s", av); + cmd->d[nflow] |=3D type; + nflow++; + } + if( nflow > 0 ) { + cmd->o.opcode =3D O_FLOW6ID; + cmd->o.len |=3D F_INSN_SIZE(ipfw_insn_u32) + nflow; + cmd->o.arg1 =3D nflow; + } + else { + errx(EX_DATAERR, "invalid ipv6 flow number %s", av); + } +} + +static ipfw_insn * +add_srcip6(ipfw_insn *cmd, char *av) +{ + fill_ip6( (ipfw_insn_ip6 *) cmd, av); + if (F_LEN(cmd) =3D=3D 0) /* any */ + ; + if (F_LEN(cmd) =3D=3D F_INSN_SIZE(ipfw_insn)) /* "me" */ + cmd->opcode =3D O_IP6_SRC_ME; + else if (F_LEN(cmd) =3D=3D (F_INSN_SIZE(struct in6_addr) + F_INSN_S= IZE(ipfw_insn))) + /* single IP, no mask*/ + cmd->opcode =3D O_IP6_SRC; + else /* addr/mask opt */ + cmd->opcode =3D O_IP6_SRC_MASK; + return cmd; +} + +static ipfw_insn * +add_dstip6(ipfw_insn *cmd, char *av) +{ + fill_ip6((ipfw_insn_ip6 *)cmd, av); + if (F_LEN(cmd) =3D=3D 0) /* any */ + ; + if (F_LEN(cmd) =3D=3D F_INSN_SIZE(ipfw_insn)) /* "me" */ + cmd->opcode =3D O_IP6_DST_ME; + else if (F_LEN(cmd) =3D=3D (F_INSN_SIZE(struct in6_addr) + F_INSN_S= IZE(ipfw_insn))) + /* single IP, no mask*/ + cmd->opcode =3D O_IP6_DST; + else /* addr/mask opt */ + cmd->opcode =3D O_IP6_DST_MASK; + return cmd; +} +/* end ipv6 stuff */ =20 /* * helper function to process a set of flags and set bits in the @@ -2236,7 +2789,6 @@ struct dn_pipe p; int i; char *end; - uint32_t a; void *par =3D NULL; =20 memset(&p, 0, sizeof p); @@ -2298,16 +2850,15 @@ */ par =3D NULL; =20 - p.fs.flow_mask.dst_ip =3D 0; - p.fs.flow_mask.src_ip =3D 0; - p.fs.flow_mask.dst_port =3D 0; - p.fs.flow_mask.src_port =3D 0; - p.fs.flow_mask.proto =3D 0; + bzero(&p.fs.flow_mask, sizeof(p.fs.flow_mask)); end =3D NULL; =20 while (ac >=3D 1) { uint32_t *p32 =3D NULL; uint16_t *p16 =3D NULL; + uint32_t *p20 =3D NULL; + struct in6_addr *pa6 =3D NULL; + uint32_t a; /* the mask */ =20 tok =3D match_token(dummynet_params, *av); ac--; av++; @@ -2321,6 +2872,9 @@ p.fs.flow_mask.dst_port =3D ~0; p.fs.flow_mask.src_port =3D ~0; p.fs.flow_mask.proto =3D ~0; + n2mask( &(p.fs.flow_mask.dst_ip6), 128); + n2mask( &(p.fs.flow_mask.src_ip6), 128); + p.fs.flow_mask.flow_id6 =3D ~0; p.fs.flags_fs |=3D DN_HAVE_FLOW_MASK; goto end_mask; =20 @@ -2332,6 +2886,18 @@ p32 =3D &p.fs.flow_mask.src_ip; break; =20 + case TOK_DSTIP6: + pa6 =3D &(p.fs.flow_mask.dst_ip6); + break; + + case TOK_SRCIP6: + pa6 =3D &(p.fs.flow_mask.src_ip6); + break; + + case TOK_FLOWID: + p20 =3D &p.fs.flow_mask.flow_id6; + break; + case TOK_DSTPORT: p16 =3D &p.fs.flow_mask.dst_port; break; @@ -2349,22 +2915,35 @@ } if (ac < 1) errx(EX_USAGE, "mask: value missing"); - if (*av[0] =3D=3D '/') { + if (*av[0] =3D=3D '/') { /* mask len */ a =3D strtoul(av[0]+1, &end, 0); - a =3D (a =3D=3D 32) ? ~0 : (1 << a) - 1; - } else + /* convert to a mask for non IPv6 */ + if (pa6 =3D=3D NULL) + a =3D (a =3D=3D 32) ? ~0 : (1 << a) - 1; + } else /* explicit mask (non IPv6) */ a =3D strtoul(av[0], &end, 0); if (p32 !=3D NULL) *p32 =3D a; else if (p16 !=3D NULL) { - if (a > 65535) + if (a > 0xffff) errx(EX_DATAERR, - "mask: must be 16 bit"); + "port mask must be 16 bit"); *p16 =3D (uint16_t)a; + } else if (p20 !=3D NULL) { + if (a > 0xfffff) + errx(EX_DATAERR, + "flow_id mask must be 20 bit"); + *p20 =3D (uint32_t)a; + } else if (pa6 !=3D NULL) { + if (a < 0 || a > 128) + errx(EX_DATAERR, + "in6addr invalid mask len"); + else + n2mask(pa6, a); } else { - if (a > 255) + if (a > 0xff) errx(EX_DATAERR, - "mask: must be 8 bit"); + "porto mask must be 8 bit"); p.fs.flow_mask.proto =3D (uint8_t)a; } if (a !=3D 0) @@ -2468,7 +3047,7 @@ break; =20 default: - errx(EX_DATAERR, "unrecognised option ``%s''", av[-1]); + errx(EX_DATAERR, "unrecognised option ``%s''", *av); } } if (do_pipe =3D=3D 1) { @@ -2684,21 +3263,25 @@ } =20 static ipfw_insn * -add_proto(ipfw_insn *cmd, char *av) +add_proto(ipfw_insn *cmd, char *av, u_char *proto) { struct protoent *pe; - u_char proto =3D 0; + + *proto =3D IPPROTO_IP; =20 if (!strncmp(av, "all", strlen(av))) ; /* same as "ip" */ - else if ((proto =3D atoi(av)) > 0) + else if ((*proto =3D atoi(av)) > 0) ; /* all done! */ else if ((pe =3D getprotobyname(av)) !=3D NULL) - proto =3D pe->p_proto; + *proto =3D pe->p_proto; + else if(!strncmp(av, "ipv6", strlen(av)) || + !strncmp(av, "ip6", strlen(av)) ) + *proto =3D IPPROTO_IPV6; else return NULL; - if (proto !=3D IPPROTO_IP) - fill_cmd(cmd, O_PROTO, 0, proto); + if (proto !=3D IPPROTO_IP && *proto !=3D IPPROTO_IPV6) + fill_cmd(cmd, O_PROTO, 0, *proto); return cmd; } =20 @@ -2749,6 +3332,38 @@ return NULL; } =20 +static ipfw_insn * +add_src(ipfw_insn *cmd, char *av, u_char proto) +{ + struct in6_addr a; + if( proto =3D=3D IPPROTO_IPV6 || strcmp( av, "me6") =3D=3D 0 || i= net_pton(AF_INET6, av, &a )) + return add_srcip6(cmd, av); + + if (proto =3D=3D IPPROTO_IP || strcmp( av, "me") =3D=3D 0 || !inet_= pton(AF_INET6, av, &a ) )=20 + return add_srcip(cmd, av); + + if( !strcmp( av, "any") ) + return cmd;=20 + + return NULL; /* bad address */ +} + +static ipfw_insn * +add_dst(ipfw_insn *cmd, char *av, u_char proto) +{ + struct in6_addr a; + if( proto =3D=3D IPPROTO_IPV6 || strcmp( av, "me6") =3D=3D 0 || i= net_pton(AF_INET6, av, &a )) + return add_dstip6(cmd, av); + + if (proto =3D=3D IPPROTO_IP || strcmp( av, "me") =3D=3D 0 || !inet_= pton(AF_INET6, av, &a ) )=20 + return add_dstip(cmd, av); + + if( !strcmp( av, "any") ) + return cmd;=20 + + return NULL; /* bad address */ +} + /* * Parse arguments and assemble the microinstructions which make up a rule. * Rules are added into the 'rulebuf' and then copied in the correct order @@ -2772,7 +3387,7 @@ */ static uint32_t rulebuf[255], actbuf[255], cmdbuf[255]; =20 - ipfw_insn *src, *dst, *cmd, *action, *prev=3DNULL; + ipfw_insn *src, *dst, *cmd, *action, *prev=3DNULL, *retval=3DNULL; ipfw_insn *first_cmd; /* first match pattern */ =20 struct ip_fw *rule; @@ -3051,11 +3666,9 @@ OR_START(get_proto); NOT_BLOCK; NEED1("missing protocol"); - if (add_proto(cmd, *av)) { + if (add_proto(cmd, *av, &proto)) { av++; ac--; - if (F_LEN(cmd) =3D=3D 0) /* plain IP */ - proto =3D 0; - else { + if (F_LEN(cmd) !=3D 0) { /* plain IP */ proto =3D cmd->arg1; prev =3D cmd; cmd =3D next_cmd(cmd); @@ -3079,13 +3692,16 @@ OR_START(source_ip); NOT_BLOCK; /* optional "not" */ NEED1("missing source address"); - if (add_srcip(cmd, *av)) { + retval =3D add_src(cmd, *av, proto); + + if (retval) { ac--; av++; if (F_LEN(cmd) !=3D 0) { /* ! any */ prev =3D cmd; cmd =3D next_cmd(cmd); } - } + } else + errx(EX_USAGE, "bad source address %s", *av); OR_BLOCK(source_ip); =20 /* @@ -3114,13 +3730,16 @@ OR_START(dest_ip); NOT_BLOCK; /* optional "not" */ NEED1("missing dst address"); - if (add_dstip(cmd, *av)) { + retval =3D add_dst(cmd, *av, proto); + + if (retval) { ac--; av++; if (F_LEN(cmd) !=3D 0) { /* ! any */ prev =3D cmd; cmd =3D next_cmd(cmd); } - } + } else + errx( EX_USAGE, "bad destination address %s", *av); OR_BLOCK(dest_ip); =20 /* @@ -3226,6 +3845,12 @@ av++; ac--; break; =20 + case TOK_ICMP6TYPES: + NEED1("icmptypes requires list of types"); + fill_icmp6types((ipfw_insn_icmp6 *)cmd, *av); + av++; ac--; + break; + case TOK_IPTTL: NEED1("ipttl requires TTL"); if (strpbrk(*av, "-,")) { @@ -3418,8 +4043,9 @@ =20 case TOK_PROTO: NEED1("missing protocol"); - if (add_proto(cmd, *av)) { - proto =3D cmd->arg1; + if (add_proto(cmd, *av, &proto)) { + if ( proto =3D=3D IPPROTO_IPV6 ) + fill_cmd(cmd, O_IP6, 0, 0); ac--; av++; } else errx(EX_DATAERR, "invalid protocol ``%s''", @@ -3440,6 +4066,20 @@ } break; =20 + case TOK_SRCIP6: + NEED1("missing source IP6"); + if (add_srcip6(cmd, *av)) { + ac--; av++; + } + break; + + case TOK_DSTIP6: + NEED1("missing destination IP6"); + if (add_dstip6(cmd, *av)) { + ac--; av++; + } + break; + case TOK_SRCPORT: NEED1("missing source port"); if (!strncmp(*av, "any", strlen(*av)) || @@ -3493,6 +4133,24 @@ av +=3D ac; ac =3D 0; break; + + case TOK_IPV6: + fill_cmd(cmd, O_IP6, 0, 0); + ac--; av++; + break; + + case TOK_EXT6HDR: + fill_ext6hdr( cmd, *av ); + ac--; av++; + break; + + case TOK_FLOWID: + if (proto !=3D IPPROTO_IPV6 ) + errx( EX_USAGE, "flow-id filter is active only for ipv6 protocol\n"); + fill_flow6( (ipfw_insn_u32 *) cmd, *av ); + ac--;av++; + break; + =20 default: errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s); --- ../cleanup/sys/netinet/ip_dummynet.c Thu Aug 26 21:19:18 2004 +++ sys/netinet/ip_dummynet.c Fri Sep 3 13:37:35 2004 @@ -77,6 +77,9 @@ #include /* for struct arpcom */ #include =20 +#include /* for ip6_input, ip6_output prototypes */ +#include + /* * We keep a private variable for the simulation time, but we could * probably use an existing one ("softticks" in sys/kern/kern_timeout.c) @@ -461,6 +464,14 @@ ip_input(m) ; break ; =20 + case DN_TO_IP6_IN: + ip6_input(m) ; + break ; + + case DN_TO_IP6_OUT: + (void)ip6_output(m, NULL, NULL, pkt->flags, NULL, NULL, NULL); + break ; + case DN_TO_BDG_FWD : /* * The bridge requires/assumes the Ethernet header is @@ -898,36 +909,79 @@ { int i =3D 0 ; /* we need i and q for new allocations */ struct dn_flow_queue *q, *prev; + int is_v6 =3D IS_IP6_FLOW_ID(id); =20 if ( !(fs->flags_fs & DN_HAVE_FLOW_MASK) ) q =3D fs->rq[0] ; else { - /* first, do the masking */ - id->dst_ip &=3D fs->flow_mask.dst_ip ; - id->src_ip &=3D fs->flow_mask.src_ip ; + /* first, do the masking, then hash */ id->dst_port &=3D fs->flow_mask.dst_port ; id->src_port &=3D fs->flow_mask.src_port ; id->proto &=3D fs->flow_mask.proto ; id->flags =3D 0 ; /* we don't care about this one */ - /* then, hash function */ - i =3D ( (id->dst_ip) & 0xffff ) ^ - ( (id->dst_ip >> 15) & 0xffff ) ^ - ( (id->src_ip << 1) & 0xffff ) ^ - ( (id->src_ip >> 16 ) & 0xffff ) ^ - (id->dst_port << 1) ^ (id->src_port) ^ - (id->proto ); + if (is_v6) { + APPLY_MASK(&id->dst_ip6, &fs->flow_mask.dst_ip6); + APPLY_MASK(&id->src_ip6, &fs->flow_mask.src_ip6); + id->flow_id6 &=3D fs->flow_mask.flow_id6; + + i =3D ((id->dst_ip6.__u6_addr.__u6_addr32[0]) & 0xffff)^ + ((id->dst_ip6.__u6_addr.__u6_addr32[1]) & 0xffff)^ + ((id->dst_ip6.__u6_addr.__u6_addr32[2]) & 0xffff)^ + ((id->dst_ip6.__u6_addr.__u6_addr32[3]) & 0xffff)^ + + ((id->dst_ip6.__u6_addr.__u6_addr32[0] >> 15) & 0xffff)^ + ((id->dst_ip6.__u6_addr.__u6_addr32[1] >> 15) & 0xffff)^ + ((id->dst_ip6.__u6_addr.__u6_addr32[2] >> 15) & 0xffff)^ + ((id->dst_ip6.__u6_addr.__u6_addr32[3] >> 15) & 0xffff)^ + + ((id->src_ip6.__u6_addr.__u6_addr32[0] << 1) & 0xfffff)^ + ((id->src_ip6.__u6_addr.__u6_addr32[1] << 1) & 0xfffff)^ + ((id->src_ip6.__u6_addr.__u6_addr32[2] << 1) & 0xfffff)^ + ((id->src_ip6.__u6_addr.__u6_addr32[3] << 1) & 0xfffff)^ + + ((id->src_ip6.__u6_addr.__u6_addr32[0] << 16) & 0xffff)^ + ((id->src_ip6.__u6_addr.__u6_addr32[1] << 16) & 0xffff)^ + ((id->src_ip6.__u6_addr.__u6_addr32[2] << 16) & 0xffff)^ + ((id->src_ip6.__u6_addr.__u6_addr32[3] << 16) & 0xffff)^ + + (id->dst_port << 1) ^ (id->src_port) ^ + (id->proto ) ^ + (id->flow_id6); + } else { + id->dst_ip &=3D fs->flow_mask.dst_ip ; + id->src_ip &=3D fs->flow_mask.src_ip ; + + i =3D ( (id->dst_ip) & 0xffff ) ^ + ( (id->dst_ip >> 15) & 0xffff ) ^ + ( (id->src_ip << 1) & 0xffff ) ^ + ( (id->src_ip >> 16 ) & 0xffff ) ^ + (id->dst_port << 1) ^ (id->src_port) ^ + (id->proto ); + } i =3D i % fs->rq_size ; /* finally, scan the current list for a match */ searches++ ; for (prev=3DNULL, q =3D fs->rq[i] ; q ; ) { search_steps++; - if (id->dst_ip =3D=3D q->id.dst_ip && + if (is_v6 && + IN6_ARE_ADDR_EQUAL(&id->dst_ip6,&q->id.dst_ip6) && =20 + IN6_ARE_ADDR_EQUAL(&id->src_ip6,&q->id.src_ip6) && =20 + id->dst_port =3D=3D q->id.dst_port && + id->src_port =3D=3D q->id.src_port && + id->proto =3D=3D q->id.proto && + id->flags =3D=3D q->id.flags && + id->flow_id6 =3D=3D q->id.flow_id6) + break ; /* found */ + + if (!is_v6 && id->dst_ip =3D=3D q->id.dst_ip && id->src_ip =3D=3D q->id.src_ip && id->dst_port =3D=3D q->id.dst_port && id->src_port =3D=3D q->id.src_port && id->proto =3D=3D q->id.proto && id->flags =3D=3D q->id.flags) break ; /* found */ + + /* No match. Check if we can expire the entry */ else if (pipe_expire && q->head =3D=3D NULL && q->S =3D=3D q->F+1 ) { /* entry is idle and not in any heap, expire it */ struct dn_flow_queue *old_q =3D q ; @@ -1065,7 +1119,7 @@ { #if IPFW2 struct dn_flow_set *fs; - ipfw_insn *cmd =3D rule->cmd + rule->act_ofs; + ipfw_insn *cmd =3D ACTION_PTR(rule); =20 if (cmd->opcode =3D=3D O_LOG) cmd +=3D F_LEN(cmd); @@ -1132,7 +1186,7 @@ struct dn_flow_queue *q =3D NULL ; int is_pipe; #if IPFW2 - ipfw_insn *cmd =3D fwa->rule->cmd + fwa->rule->act_ofs; + ipfw_insn *cmd =3D ACTION_PTR(fwa->rule); #endif =20 KASSERT(m->m_nextpkt =3D=3D NULL, @@ -1202,8 +1256,9 @@ pkt->dn_dir =3D dir ; =20 pkt->ifp =3D fwa->oif; - if (dir =3D=3D DN_TO_IP_OUT) + if (dir =3D=3D DN_TO_IP_OUT || dir =3D=3D DN_TO_IP6_OUT) pkt->flags =3D fwa->flags; + if (q->head =3D=3D NULL) q->head =3D m; else @@ -1372,7 +1427,7 @@ * remove references from all ipfw rules to all pipes. */ static void -dummynet_flush() +dummynet_flush(void) { struct dn_pipe *curr_p, *p ; struct dn_flow_set *fs, *curr_fs; @@ -2017,7 +2072,7 @@ ip_dn_init(void) { if (bootverbose) - printf("DUMMYNET initialized (011031)\n"); + printf("DUMMYNET with IPv6 initialized (040826)\n"); =20 DUMMYNET_LOCK_INIT(); =20 --- ../cleanup/sys/netinet/ip_dummynet.h Thu Aug 26 21:19:18 2004 +++ sys/netinet/ip_dummynet.h Fri Aug 27 13:12:06 2004 @@ -124,10 +124,13 @@ #define DN_TO_BDG_FWD 3 #define DN_TO_ETH_DEMUX 4 #define DN_TO_ETH_OUT 5 +#define DN_TO_IP6_IN 6 +#define DN_TO_IP6_OUT 7 =20 dn_key output_time; /* when the pkt is due for delivery */ struct ifnet *ifp; /* interface, for ip_output */ int flags ; /* flags, for ip_output (IPv6 ?) */ + struct _ip6dn_args ip6opt; /* XXX ipv6 options */ }; #endif /* _KERNEL */ =20 --- ../cleanup/sys/netinet/ip_fw.h Thu Aug 26 21:19:19 2004 +++ sys/netinet/ip_fw.h Fri Aug 27 13:12:06 2004 @@ -134,11 +134,31 @@ O_IP_DST_LOOKUP, /* arg1=3Dtable number, u32=3Dvalue */ O_ANTISPOOF, /* none */ O_JAIL, /* u32 =3D id */ + O_IP6_SRC, /* address without mask */ + O_IP6_SRC_ME, /* my addresses */ + O_IP6_SRC_MASK, /* address with the mask */ + O_IP6_DST, + O_IP6_DST_ME, + O_IP6_DST_MASK, + O_FLOW6ID, /* for flow id tag in the ipv6 pkt */ + O_ICMP6TYPE, /* icmp6 packet type filtering */ + O_EXT_HDR, /* filtering for ipv6 extension header */ + O_IP6, =20 O_LAST_OPCODE /* not an opcode! */ }; =20 /* + * The extension header are filtered only for presence using a bit + * vector with a flag for each header. + */ +#define EXT_FRAGMENT 0x1 +#define EXT_HOPOPTS 0x2 +#define EXT_ROUTING 0x4 +#define EXT_AH 0x8 +#define EXT_ESP 0x10 + +/* * Template for instructions. * * ipfw_insn is used for all instructions which require no operands, @@ -274,6 +294,30 @@ u_int32_t log_left; /* how many left to log */ } ipfw_insn_log; =20 +/* Apply ipv6 mask on ipv6 addr */ +#define APPLY_MASK(addr,mask) \ + (addr)->__u6_addr.__u6_addr32[0] &=3D (mask)->__u6_addr.__u6_addr32[0]= ; \ + (addr)->__u6_addr.__u6_addr32[1] &=3D (mask)->__u6_addr.__u6_addr32[1]= ; \ + (addr)->__u6_addr.__u6_addr32[2] &=3D (mask)->__u6_addr.__u6_addr32[2]= ; \ + (addr)->__u6_addr.__u6_addr32[3] &=3D (mask)->__u6_addr.__u6_addr32[3]; + +/* Structure for ipv6 */ +typedef struct _ipfw_insn_ip6 { + ipfw_insn o; + struct in6_addr addr6; + struct in6_addr mask6; +} ipfw_insn_ip6; + +/* Used to support icmp6 types */ +typedef struct _ipfw_insn_icmp6 { + ipfw_insn o; + uint32_t d[7]; /* XXX This number si related to the netinet/icmp6.h + * define ICMP6_MAXTYPE + * as follows: n =3D ICMP6_MAXTYPE/32 + 1 + * Actually is 203=20 + */ +} ipfw_insn_icmp6; + /* * Here we have the structure representing an ipfw rule. * @@ -336,8 +380,14 @@ u_int16_t src_port; u_int8_t proto; u_int8_t flags; /* protocol-specific flags */ + uint8_t addr_type; /* 4 =3D ipv4, 6 =3D ipv6, 1=3Dether ? */ + struct in6_addr dst_ip6; /* could also store MAC addr! */ + struct in6_addr src_ip6; + u_int32_t flow_id6; }; =20 +#define IS_IP6_FLOW_ID(id) ((id)->addr_type =3D=3D 6) + /* * Dynamic ipfw rule. */ @@ -410,6 +460,21 @@ #define IP_FW_PORT_DENY_FLAG 0x40000 =20 /* + * Structure for collecting parameters to dummynet for ip6_output forwardi= ng + */ +struct _ip6dn_args { + struct ip6_pktopts *opt_or; + struct route_in6 ro_or; + int flags_or; + struct ip6_moptions *im6o_or; + struct ifnet *origifp_or; + struct ifnet *ifp_or; + struct sockaddr_in6 dst_or; + u_long mtu_or; + struct route_in6 ro_pmtu_or; +}; + +/* * Arguments for calling ipfw_chk() and dummynet_io(). We put them * all into a structure because this way it is easier and more * efficient to pass variables around and extend the interface. @@ -425,6 +490,8 @@ =20 struct ipfw_flow_id f_id; /* grabbed from IP header */ u_int32_t retval; + + struct _ip6dn_args dummypar; /* dummynet->ip6_output */ }; =20 /* --- ../cleanup/sys/netinet/ip_fw2.c Thu Aug 26 21:19:21 2004 +++ sys/netinet/ip_fw2.c Thu Sep 2 20:22:12 2004 @@ -82,6 +82,9 @@ #include #endif =20 +#include +#include + #include /* XXX for ETHERTYPE_IP */ =20 #include /* XXX for in_cksum */ @@ -277,14 +280,19 @@ =20 =20 /* - * This macro maps an ip pointer into a layer3 header pointer of type T + * L3HDR maps an ipv4 pointer into a layer3 header pointer of type T + * Other macros just cast void * into the appropriate type */ -#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) +#define L3HDR(T, ip) ((T *)((u_int32_t *)(ip) + (ip)->ip_hl)) +#define TCP(p) ((struct tcphdr *)(p)) +#define UDP(p) ((struct udphdr *)(p)) +#define ICMP(p) ((struct icmp *)(p)) +#define ICMP6(p) ((struct icmp6_hdr *)(p)) =20 static __inline int -icmptype_match(struct ip *ip, ipfw_insn_u32 *cmd) +icmptype_match(struct icmp *icmp, ipfw_insn_u32 *cmd) { - int type =3D L3HDR(struct icmp,ip)->icmp_type; + int type =3D icmp->icmp_type; =20 return (type <=3D ICMP_MAXTYPE && (cmd->d[0] & (1<icmp_type; + int type =3D icmp->icmp_type; + return (type <=3D ICMP_MAXTYPE && (TT & (1<th_off << 2) - sizeof(struct tcphdr); =20 @@ -515,6 +523,83 @@ return 1; } =20 +/* + * ipv6 specific rules here... + */ +static __inline int +icmp6type_match (int type, ipfw_insn_u32 *cmd) +{ + return (type <=3D ICMP6_MAXTYPE && (cmd->d[type/32] & (1<<(type%32)= ) ) ); +} + +static int +flow6id_match( int curr_flow, ipfw_insn_u32 *cmd ) +{ + int i; + for (i=3D0; i <=3D cmd->o.arg1; ++i ) + if (curr_flow =3D=3D cmd->d[i] ) + return 1; + return 0; +} + +/* support for IP6_*_ME opcodes */ +static int +search_ip6_addr_net (struct in6_addr * ip6_addr) +{ + struct ifnet *mdc; + struct ifaddr *mdc2; + struct in6_ifaddr *fdm; + struct in6_addr copia; + + TAILQ_FOREACH(mdc, &ifnet, if_link) + for (mdc2 =3D mdc->if_addrlist.tqh_first; mdc2; + mdc2 =3D mdc2->ifa_list.tqe_next) { + if (!mdc2->ifa_addr) + continue; + if (mdc2->ifa_addr->sa_family =3D=3D AF_INET6) { + fdm =3D (struct in6_ifaddr *)mdc2; + copia =3D fdm->ia_addr.sin6_addr; + /* need for leaving scope_id in the sock_ad= dr */ + in6_clearscope(&copia); + if (IN6_ARE_ADDR_EQUAL(ip6_addr, &copia)) + return 1; + } + } + return 0; +} + +static int +verify_rev_path6(struct in6_addr *src, struct ifnet *ifp) +{ + static struct route_in6 ro; + struct sockaddr_in6 *dst; + + dst =3D (struct sockaddr_in6 * )&(ro.ro_dst); + + if ( !(IN6_ARE_ADDR_EQUAL (src, &dst->sin6_addr) )) { + bzero(dst, sizeof(*dst)); + dst->sin6_family =3D AF_INET6; + dst->sin6_len =3D sizeof(*dst); + dst->sin6_addr =3D *src; + rtalloc_ign((struct route *)&ro, RTF_CLONING); + } + if ((ro.ro_rt =3D=3D NULL) || (ifp =3D=3D NULL) || + (ro.ro_rt->rt_ifp->if_index !=3D ifp->if_index)) + return 0; + return 1; +} +static __inline int +hash_packet6(struct ipfw_flow_id *id) +{ + u_int32_t i; + i=3D (id->dst_ip6.__u6_addr.__u6_addr32[0]) ^ + (id->dst_ip6.__u6_addr.__u6_addr32[1]) ^ + (id->dst_ip6.__u6_addr.__u6_addr32[2]) ^ + (id->dst_ip6.__u6_addr.__u6_addr32[3]) ^ + (id->dst_port) ^ (id->src_port) ^ (id->flow_id6); + return i; +} +/* end of ipv6 opcodes */ =20 static u_int64_t norule_counter; /* counter for ipfw_log(NULL...) */ =20 @@ -718,7 +803,8 @@ { u_int32_t i; =20 - i =3D (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port); + i =3D IS_IP6_FLOW_ID(id) ? hash_packet6(id): + (id->dst_ip) ^ (id->src_ip) ^ (id->dst_port) ^ (id->src_port); i &=3D (curr_dyn_buckets - 1); return i; } @@ -857,19 +943,40 @@ } if (pkt->proto =3D=3D q->id.proto && q->dyn_type !=3D O_LIMIT_PARENT) { - if (pkt->src_ip =3D=3D q->id.src_ip && - pkt->dst_ip =3D=3D q->id.dst_ip && + if (IS_IP6_FLOW_ID(pkt)) { + if (IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), + &(q->id.src_ip6)) && + IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), + &(q->id.dst_ip6)) && pkt->src_port =3D=3D q->id.src_port && pkt->dst_port =3D=3D q->id.dst_port ) { dir =3D MATCH_FORWARD; break; - } - if (pkt->src_ip =3D=3D q->id.dst_ip && - pkt->dst_ip =3D=3D q->id.src_ip && - pkt->src_port =3D=3D q->id.dst_port && - pkt->dst_port =3D=3D q->id.src_port ) { - dir =3D MATCH_REVERSE; - break; + } + if (IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), + &(q->id.dst_ip6)) && + IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), + &(q->id.src_ip6)) && + pkt->src_port =3D=3D q->id.dst_port && + pkt->dst_port =3D=3D q->id.src_port ) { + dir =3D MATCH_REVERSE; + break; + } + } else { + if (pkt->src_ip =3D=3D q->id.src_ip && + pkt->dst_ip =3D=3D q->id.dst_ip && + pkt->src_port =3D=3D q->id.src_port && + pkt->dst_port =3D=3D q->id.dst_port ) { + dir =3D MATCH_FORWARD; + break; + } + if (pkt->src_ip =3D=3D q->id.dst_ip && + pkt->dst_ip =3D=3D q->id.src_ip && + pkt->src_port =3D=3D q->id.dst_port && + pkt->dst_port =3D=3D q->id.src_port ) { + dir =3D MATCH_REVERSE; + break; + } } } next: @@ -1067,15 +1174,25 @@ IPFW_DYN_LOCK_ASSERT(); =20 if (ipfw_dyn_v) { + int is_v6 =3D IS_IP6_FLOW_ID(pkt); i =3D hash_packet( pkt ); for (q =3D ipfw_dyn_v[i] ; q !=3D NULL ; q=3Dq->next) if (q->dyn_type =3D=3D O_LIMIT_PARENT && rule=3D=3D q->rule && pkt->proto =3D=3D q->id.proto && - pkt->src_ip =3D=3D q->id.src_ip && - pkt->dst_ip =3D=3D q->id.dst_ip && pkt->src_port =3D=3D q->id.src_port && - pkt->dst_port =3D=3D q->id.dst_port) { + pkt->dst_port =3D=3D q->id.dst_port && + ( + (is_v6 && + IN6_ARE_ADDR_EQUAL(&(pkt->src_ip6), + &(q->id.src_ip6)) && + IN6_ARE_ADDR_EQUAL(&(pkt->dst_ip6), + &(q->id.dst_ip6))) || + (!is_v6 && + pkt->src_ip =3D=3D q->id.src_ip && + pkt->dst_ip =3D=3D q->id.dst_ip) + ) + ) { q->expire =3D time_second + dyn_short_lifetime; DEB(printf("ipfw: lookup_dyn_parent found 0x%p\n",q);) return q; @@ -1149,10 +1266,17 @@ id.dst_port =3D id.src_port =3D 0; id.proto =3D args->f_id.proto; =20 - if (limit_mask & DYN_SRC_ADDR) - id.src_ip =3D args->f_id.src_ip; - if (limit_mask & DYN_DST_ADDR) - id.dst_ip =3D args->f_id.dst_ip; + if (IS_IP6_FLOW_ID (&(args->f_id))) { + if (limit_mask & DYN_SRC_ADDR) + id.src_ip6 =3D args->f_id.src_ip6; + if (limit_mask & DYN_DST_ADDR) + id.dst_ip6 =3D args->f_id.dst_ip6; + } else { + if (limit_mask & DYN_SRC_ADDR) + id.src_ip =3D args->f_id.src_ip; + if (limit_mask & DYN_DST_ADDR) + id.dst_ip =3D args->f_id.dst_ip; + } if (limit_mask & DYN_SRC_PORT) id.src_port =3D args->f_id.src_port; if (limit_mask & DYN_DST_PORT) @@ -1730,97 +1854,192 @@ struct in_addr src_ip, dst_ip; /* NOTE: network format */ u_int16_t ip_len=3D0; int pktlen; + /* + * dyn_dir =3D MATCH_UNKNOWN when rules unchecked, + * MATCH_NONE when checked and not matched (q =3D NULL), + * MATCH_FORWARD or MATCH_REVERSE otherwise (q !=3D NULL) + */ int dyn_dir =3D MATCH_UNKNOWN; ipfw_dyn_rule *q =3D NULL; struct ip_fw_chain *chain =3D &layer3_chain; struct m_tag *mtag; + /* + * We store in ulp a pointer to the upper layer protocol header. + * In the ipv4 case this is easy to determine from the header, + * but for ipv6 we might have some additional headers in the + * middle. ulp is NULL if not found. + */ + void *ulp =3D NULL; /* upper layer protocol pointer. */ + /* XXX ipv6 variables */ + int is_ipv6 =3D 0; + u_int16_t ext_hd =3D 0; /* bits vector for extension header filtering */ + /* end of ipv6 variables */ =20 if (m->m_flags & M_SKIP_FIREWALL) return 0; /* accept */ - /* - * dyn_dir =3D MATCH_UNKNOWN when rules unchecked, - * MATCH_NONE when checked and not matched (q =3D NULL), - * MATCH_FORWARD or MATCH_REVERSE otherwise (q !=3D NULL) - */ - pktlen =3D m->m_pkthdr.len; - if (args->eh =3D=3D NULL || /* layer 3 packet */ - ( m->m_pkthdr.len >=3D sizeof(struct ip) && - ntohs(args->eh->ether_type) =3D=3D ETHERTYPE_IP)) - hlen =3D ip->ip_hl << 2; + proto =3D args->f_id.proto =3D 0; /* mark f_id invalid */ =20 - /* - * Collect parameters into local variables for faster matching. - */ - if (hlen =3D=3D 0) { /* do not grab addresses for non-ip pkts */ - proto =3D args->f_id.proto =3D 0; /* mark f_id invalid */ - goto after_ip_checks; - } + /* Identify ipv6 packets and fill up variables. */ + if (pktlen >=3D sizeof(struct ip6_hdr) && + (!args->eh || ntohs(args->eh->ether_type)=3D=3DETHERTYPE_IPV6) && + mtod(m, struct ip *)->ip_v =3D=3D 6) { + is_ipv6 =3D 1; + args->f_id.addr_type =3D 6; + hlen =3D sizeof(struct ip6_hdr); + proto =3D mtod(m, struct ip6_hdr *)->ip6_nxt; =20 - proto =3D args->f_id.proto =3D ip->ip_p; - src_ip =3D ip->ip_src; - dst_ip =3D ip->ip_dst; - if (args->eh !=3D NULL) { /* layer 2 packets are as on the wire */ - offset =3D ntohs(ip->ip_off) & IP_OFFMASK; - ip_len =3D ntohs(ip->ip_len); - } else { - offset =3D ip->ip_off & IP_OFFMASK; - ip_len =3D ip->ip_len; - } - pktlen =3D ip_len < pktlen ? ip_len : pktlen; + /* + * PULLUP6(len, p, T) makes sure that len + sizeof(T) is + * contiguous, then it sets p to point at the offset "len" in + * the mbuf. WARNING: the pointer might become stale after + * other pullups (but we never use it this way). + */ +#define PULLUP6(len, p, T) \ + do { \ + int x =3D (len) + sizeof(T); \ + if ((m)->m_len < x) { \ + args->m =3D m =3D m_pullup(m, x); \ + if (m =3D=3D 0) \ + goto pullup_failed; \ + } \ + p =3D (mtod(m, char *) + (len)); \ + } while (0) + + /* Search extension headers to find upper layer protocols */ + while (ulp =3D=3D NULL) { + switch (proto) { + case IPPROTO_ICMPV6: + PULLUP6(hlen, ulp, struct icmp6_hdr); + args->f_id.flags =3D ICMP6(ulp)->icmp6_type; + break; + + case IPPROTO_TCP: + PULLUP6(hlen, ulp, struct tcphdr); + dst_port =3D TCP(ulp)->th_dport; + src_port =3D TCP(ulp)->th_sport; + args->f_id.flags =3D TCP(ulp)->th_flags; + break; + + case IPPROTO_UDP: + PULLUP6(hlen, ulp, struct udphdr); + dst_port =3D UDP(ulp)->uh_dport; + src_port =3D UDP(ulp)->uh_sport; + break; + + case IPPROTO_HOPOPTS: + PULLUP6(hlen, ulp, struct ip6_hbh); + ext_hd |=3D EXT_HOPOPTS; + hlen +=3D sizeof(struct ip6_hbh); + proto =3D ((struct ip6_hbh *)ulp)->ip6h_nxt; + ulp =3D NULL; + break; + + case IPPROTO_ROUTING: + PULLUP6(hlen, ulp, struct ip6_rthdr); + ext_hd |=3D EXT_ROUTING; + hlen +=3D sizeof(struct ip6_rthdr); + proto =3D ((struct ip6_rthdr *)ulp)->ip6r_nxt; + ulp =3D NULL; + break; + + case IPPROTO_FRAGMENT: + PULLUP6(hlen, ulp, struct ip6_frag); + ext_hd |=3D EXT_FRAGMENT; + hlen +=3D sizeof (struct ip6_frag); + proto =3D ((struct ip6_frag *)ulp)->ip6f_nxt; + offset =3D 1; + ulp =3D NULL; /* XXX is it correct ? */ + break; + + case IPPROTO_AH: + case IPPROTO_NONE: + case IPPROTO_ESP: + PULLUP6(hlen, ulp, struct ip6_ext); + if (proto =3D=3D IPPROTO_AH) + ext_hd |=3D EXT_AH; + else if (proto =3D=3D IPPROTO_ESP) + ext_hd |=3D EXT_ESP; + hlen +=3D ((struct ip6_ext *)ulp)->ip6e_len + + sizeof (struct ip6_ext); + proto =3D ((struct ip6_ext *)ulp)->ip6e_nxt; + ulp =3D NULL; + break; =20 -#define PULLUP_TO(len) \ - do { \ - if ((m)->m_len < (len)) { \ - args->m =3D m =3D m_pullup(m, (len)); \ - if (m =3D=3D 0) \ - goto pullup_failed; \ - ip =3D mtod(m, struct ip *); \ - } \ - } while (0) + default: + printf( "IPFW2: IPV6 - Unknown Extension Header (%d)\n", + proto); + return 0; /* deny */ + break; + } /*switch */ + } + args->f_id.src_ip6 =3D mtod(m,struct ip6_hdr *)->ip6_src; + args->f_id.dst_ip6 =3D mtod(m,struct ip6_hdr *)->ip6_dst; + args->f_id.src_ip =3D 0; + args->f_id.dst_ip =3D 0; + args->f_id.flow_id6 =3D ntohs(mtod(m, struct ip6_hdr *)->ip6_flow); + /* hlen !=3D 0 is used to detect ipv4 packets, so clear it now */ + hlen =3D 0; + } else if (pktlen >=3D sizeof(struct ip) && + (!args->eh || ntohs(args->eh->ether_type) =3D=3D ETHERTYPE_IP) && + mtod(m, struct ip *)->ip_v =3D=3D 4) { + ip =3D mtod(m, struct ip *); + hlen =3D ip->ip_hl << 2; + args->f_id.addr_type =3D 4; =20 - if (offset =3D=3D 0) { - switch (proto) { - case IPPROTO_TCP: - { - struct tcphdr *tcp; + /* + * Collect parameters into local variables for faster matching. + */ =20 - PULLUP_TO(hlen + sizeof(struct tcphdr)); - tcp =3D L3HDR(struct tcphdr, ip); - dst_port =3D tcp->th_dport; - src_port =3D tcp->th_sport; - args->f_id.flags =3D tcp->th_flags; - } - break; + proto =3D ip->ip_p; + src_ip =3D ip->ip_src; + dst_ip =3D ip->ip_dst; + if (args->eh !=3D NULL) { /* layer 2 packets are as on the wire */ + offset =3D ntohs(ip->ip_off) & IP_OFFMASK; + ip_len =3D ntohs(ip->ip_len); + } else { + offset =3D ip->ip_off & IP_OFFMASK; + ip_len =3D ip->ip_len; + } + pktlen =3D ip_len < pktlen ? ip_len : pktlen; =20 - case IPPROTO_UDP: - { - struct udphdr *udp; + if (offset =3D=3D 0) { + switch (proto) { + case IPPROTO_TCP: + PULLUP6(hlen, ulp, struct tcphdr); + dst_port =3D TCP(ulp)->th_dport; + src_port =3D TCP(ulp)->th_sport; + args->f_id.flags =3D TCP(ulp)->th_flags; + break; =20 - PULLUP_TO(hlen + sizeof(struct udphdr)); - udp =3D L3HDR(struct udphdr, ip); - dst_port =3D udp->uh_dport; - src_port =3D udp->uh_sport; - } - break; + case IPPROTO_UDP: + PULLUP6(hlen, ulp, struct udphdr); + dst_port =3D UDP(ulp)->uh_dport; + src_port =3D UDP(ulp)->uh_sport; + break; =20 - case IPPROTO_ICMP: - PULLUP_TO(hlen + 4); /* type, code and checksum. */ - args->f_id.flags =3D L3HDR(struct icmp, ip)->icmp_type; - break; + case IPPROTO_ICMP: + /* + * we only care for 4 bytes: type, code, + * checksum + */ + PULLUP6(hlen, ulp, struct icmp); + args->f_id.flags =3D ICMP(ulp)->icmp_type; + break; =20 - default: - break; + default: + break; + } } -#undef PULLUP_TO - } - - args->f_id.src_ip =3D ntohl(src_ip.s_addr); - args->f_id.dst_ip =3D ntohl(dst_ip.s_addr); - args->f_id.src_port =3D src_port =3D ntohs(src_port); - args->f_id.dst_port =3D dst_port =3D ntohs(dst_port); =20 -after_ip_checks: + args->f_id.src_ip =3D ntohl(src_ip.s_addr); + args->f_id.dst_ip =3D ntohl(dst_ip.s_addr); + } + if (proto) { /* we may have port numbers, store them */ + args->f_id.proto =3D proto; + args->f_id.src_port =3D src_port =3D ntohs(src_port); + args->f_id.dst_port =3D dst_port =3D ntohs(dst_port); + } IPFW_LOCK(chain); /* XXX expensive? can we run lock free? */ mtag =3D m_tag_find(m, PACKET_TAG_DIVERT, NULL); if (args->rule) { @@ -1926,11 +2145,13 @@ case O_JAIL: /* * We only check offset =3D=3D 0 && proto !=3D 0, - * as this ensures that we have an IPv4 + * as this ensures that we have a * packet with the ports info. */ if (offset!=3D0) break; + if (is_ipv6) /* XXX to be fixed later */ + break; if (proto =3D=3D IPPROTO_TCP || proto =3D=3D IPPROTO_UDP) match =3D check_uidgid( @@ -1985,7 +2206,7 @@ break; =20 case O_FRAG: - match =3D (hlen > 0 && offset !=3D 0); + match =3D (offset !=3D 0); break; =20 case O_IN: /* "out" is "not in" */ @@ -2087,7 +2308,7 @@ case O_IP_DSTPORT: /* * offset =3D=3D 0 && proto !=3D 0 is enough - * to guarantee that we have an IPv4 + * to guarantee that we have a * packet with port info. */ if ((proto=3D=3DIPPROTO_UDP || proto=3D=3DIPPROTO_TCP) @@ -2107,15 +2328,25 @@ =20 case O_ICMPTYPE: match =3D (offset =3D=3D 0 && proto=3D=3DIPPROTO_ICMP && - icmptype_match(ip, (ipfw_insn_u32 *)cmd) ); + icmptype_match(ICMP(ulp), (ipfw_insn_u32 *)cmd) ); + break; + + case O_ICMP6TYPE: + match =3D is_ipv6 && offset =3D=3D 0 && + proto=3D=3DIPPROTO_ICMPV6 && + icmp6type_match( + ICMP6(ulp)->icmp6_type, + (ipfw_insn_u32 *)cmd); break; =20 case O_IPOPT: - match =3D (hlen > 0 && ipopts_match(ip, cmd) ); + match =3D (hlen > 0 && + ipopts_match(mtod(m, struct ip *), cmd) ); break; =20 case O_IPVER: - match =3D (hlen > 0 && cmd->arg1 =3D=3D ip->ip_v); + match =3D (hlen > 0 && + cmd->arg1 =3D=3D mtod(m, struct ip *)->ip_v); break; =20 case O_IPID: @@ -2129,9 +2360,9 @@ if (cmd->opcode =3D=3D O_IPLEN) x =3D ip_len; else if (cmd->opcode =3D=3D O_IPTTL) - x =3D ip->ip_ttl; + x =3D mtod(m, struct ip *)->ip_ttl; else /* must be IPID */ - x =3D ntohs(ip->ip_id); + x =3D ntohs(mtod(m, struct ip *)->ip_id); if (cmdlen =3D=3D 1) { match =3D (cmd->arg1 =3D=3D x); break; @@ -2146,48 +2377,46 @@ =20 case O_IPPRECEDENCE: match =3D (hlen > 0 && - (cmd->arg1 =3D=3D (ip->ip_tos & 0xe0)) ); + (cmd->arg1 =3D=3D (mtod(m, struct ip *)->ip_tos & 0xe0)) ); break; =20 case O_IPTOS: match =3D (hlen > 0 && - flags_match(cmd, ip->ip_tos)); + flags_match(cmd, mtod(m, struct ip *)->ip_tos)); break; =20 case O_TCPFLAGS: match =3D (proto =3D=3D IPPROTO_TCP && offset =3D=3D 0 && - flags_match(cmd, - L3HDR(struct tcphdr,ip)->th_flags)); + flags_match(cmd, TCP(ulp)->th_flags)); break; =20 case O_TCPOPTS: match =3D (proto =3D=3D IPPROTO_TCP && offset =3D=3D 0 && - tcpopts_match(ip, cmd)); + tcpopts_match(TCP(ulp), cmd)); break; =20 case O_TCPSEQ: match =3D (proto =3D=3D IPPROTO_TCP && offset =3D=3D 0 && ((ipfw_insn_u32 *)cmd)->d[0] =3D=3D - L3HDR(struct tcphdr,ip)->th_seq); + TCP(ulp)->th_seq); break; =20 case O_TCPACK: match =3D (proto =3D=3D IPPROTO_TCP && offset =3D=3D 0 && ((ipfw_insn_u32 *)cmd)->d[0] =3D=3D - L3HDR(struct tcphdr,ip)->th_ack); + TCP(ulp)->th_ack); break; =20 case O_TCPWIN: match =3D (proto =3D=3D IPPROTO_TCP && offset =3D=3D 0 && - cmd->arg1 =3D=3D - L3HDR(struct tcphdr,ip)->th_win); + cmd->arg1 =3D=3D TCP(ulp)->th_win); break; =20 case O_ESTAB: /* reject packets which have SYN only */ /* XXX should i also check for TH_ACK ? */ match =3D (proto =3D=3D IPPROTO_TCP && offset =3D=3D 0 && - (L3HDR(struct tcphdr,ip)->th_flags & + ( TCP(ulp)->th_flags & (TH_RST | TH_ACK | TH_SYN)) !=3D TH_SYN); break; =20 @@ -2203,8 +2432,12 @@ =20 case O_VERREVPATH: /* Outgoing packets automatically pass/match */ - match =3D (hlen > 0 && ((oif !=3D NULL) || + /* XXX BED: verify_path was verify_rev_path in the diff... */ + match =3D ((oif !=3D NULL) || (m->m_pkthdr.rcvif =3D=3D NULL) || + (is_ipv6 ? + verify_rev_path6(&(args->f_id.src_ip6), + m->m_pkthdr.rcvif) : verify_path(src_ip, m->m_pkthdr.rcvif))); break; =20 @@ -2235,6 +2468,60 @@ /* otherwise no match */ break; =20 + case O_IP6_SRC: + match =3D is_ipv6 && + IN6_ARE_ADDR_EQUAL(&args->f_id.src_ip6, + &((ipfw_insn_ip6 *)cmd)->addr6); + break; + + case O_IP6_DST: + match =3D is_ipv6 && + IN6_ARE_ADDR_EQUAL(&args->f_id.dst_ip6, + &((ipfw_insn_ip6 *)cmd)->addr6); + break; + case O_IP6_SRC_MASK: + if (is_ipv6) { + ipfw_insn_ip6 *te =3D (ipfw_insn_ip6 *)cmd; + struct in6_addr p =3D args->f_id.src_ip6; + + APPLY_MASK(&p, &te->mask6); + match =3D IN6_ARE_ADDR_EQUAL(&te->addr6, &p); + } + break; + + case O_IP6_DST_MASK: + if (is_ipv6) { + ipfw_insn_ip6 *te =3D (ipfw_insn_ip6 *)cmd; + struct in6_addr p =3D args->f_id.dst_ip6; + + APPLY_MASK(&p, &te->mask6); + match =3D IN6_ARE_ADDR_EQUAL(&te->addr6, &p); + } + break; + + case O_IP6_SRC_ME: + match=3D is_ipv6 && search_ip6_addr_net(&args->f_id.src_ip6); + break; + + case O_IP6_DST_ME: + match=3D is_ipv6 && search_ip6_addr_net(&args->f_id.dst_ip6); + break; + + case O_FLOW6ID: + match =3D is_ipv6 && + flow6id_match(args->f_id.flow_id6, + (ipfw_insn_u32 *) cmd); + break; + + case O_EXT_HDR: + match =3D is_ipv6 && + (ext_hd & ((ipfw_insn *) cmd)->arg1); + break; + + case O_IP6: + match =3D is_ipv6; + break; + /* * The second set of opcodes represents 'actions', * i.e. the terminal part of a rule once the packet @@ -2297,7 +2584,7 @@ if (dyn_dir =3D=3D MATCH_UNKNOWN && (q =3D lookup_dyn_rule(&args->f_id, &dyn_dir, proto =3D=3D IPPROTO_TCP ? - L3HDR(struct tcphdr, ip) : NULL)) + TCP(ulp) : NULL)) !=3D NULL) { /* * Found dynamic entry, update stats @@ -2378,7 +2665,7 @@ */ if (hlen > 0 && (proto !=3D IPPROTO_ICMP || - is_icmp_query(ip)) && + is_icmp_query(ICMP(ulp))) && !(m->m_flags & (M_BCAST|M_MCAST)) && !IN_MULTICAST(ntohl(dst_ip.s_addr))) { send_reject(args, cmd->arg1, @@ -2859,6 +3146,10 @@ case O_VERSRCREACH: case O_ANTISPOOF: case O_IPSEC: + case O_IP6_SRC_ME: + case O_IP6_DST_ME: + case O_EXT_HDR: + case O_IP6: if (cmdlen !=3D F_INSN_SIZE(ipfw_insn)) goto bad_size; break; @@ -2985,9 +3276,32 @@ return EINVAL; } break; + case O_IP6_SRC: + case O_IP6_DST: + if (cmdlen !=3D F_INSN_SIZE(struct in6_addr) + + F_INSN_SIZE(ipfw_insn)) + goto bad_size; + break; + + case O_FLOW6ID: + if (cmdlen !=3D F_INSN_SIZE(ipfw_insn_u32) + + ((ipfw_insn_u32 *)cmd)->o.arg1) + goto bad_size; + break; + + case O_IP6_SRC_MASK: + case O_IP6_DST_MASK: + if ( !(cmdlen & 1) || cmdlen > 127) + goto bad_size; + break; + case O_ICMP6TYPE: + if( cmdlen !=3D F_INSN_SIZE( ipfw_insn_icmp6 ) ) + goto bad_size; + break; + default: printf("ipfw: opcode %d, unknown opcode\n", - cmd->opcode); + cmd->opcode); return EINVAL; } } @@ -3379,7 +3693,7 @@ } =20 ip_fw_default_rule =3D layer3_chain.rules; - printf("ipfw2 initialized, divert %s, " + printf("ipfw2 (+ipv6) initialized, divert %s, " "rule-based forwarding " #ifdef IPFIREWALL_FORWARD "enabled, " --- ../cleanup/sys/netinet/ip_fw_pfil.c Fri Aug 27 15:18:18 2004 +++ sys/netinet/ip_fw_pfil.c Thu Sep 2 22:37:05 2004 @@ -31,6 +31,7 @@ #include "opt_ipdn.h" #include "opt_ipdivert.h" #include "opt_inet.h" +#include "opt_inet6.h" #ifndef INET #error IPFIREWALL requires INET. #endif /* INET */ @@ -111,7 +112,10 @@ goto pass; =20 if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) !=3D 0) { - ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_IN, &args); + if (mtod(*m0, struct ip *)->ip_v =3D=3D 4) + ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_IN, &args); + else if (mtod(*m0, struct ip *)->ip_v =3D=3D 6) + ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP6_IN, &args); *m0 =3D NULL; return 0; /* packet consumed */ } @@ -194,7 +198,10 @@ goto pass; =20 if (DUMMYNET_LOADED && (ipfw & IP_FW_PORT_DYNT_FLAG) !=3D 0) { - ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_OUT, &args); + if (mtod(*m0, struct ip *)->ip_v =3D=3D 4) + ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP_OUT, &args); + else if (mtod(*m0, struct ip *)->ip_v =3D=3D 6) + ip_dn_io_ptr(*m0, ipfw & 0xffff, DN_TO_IP6_OUT, &args); *m0 =3D NULL; return 0; /* packet consumed */ } @@ -326,6 +333,9 @@ ipfw_hook(void) { struct pfil_head *pfh_inet; +#ifdef INET6 + struct pfil_head *pfh_inet6; +#endif =20 if (ipfw_pfil_hooked) return EEXIST; @@ -333,9 +343,18 @@ pfh_inet =3D pfil_head_get(PFIL_TYPE_AF, AF_INET); if (pfh_inet =3D=3D NULL) return ENOENT; +#ifdef INET6 + pfh_inet6 =3D pfil_head_get(PFIL_TYPE_AF, AF_INET6); + if (pfh_inet6 =3D=3D NULL) + return ENOENT; +#endif =20 pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); +#ifdef INET6 + pfil_add_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); + pfil_add_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); +#endif =20 return 0; } @@ -344,6 +363,9 @@ ipfw_unhook(void) { struct pfil_head *pfh_inet; +#ifdef INET6 + struct pfil_head *pfh_inet6; +#endif =20 if (!ipfw_pfil_hooked) return ENOENT; @@ -351,9 +373,18 @@ pfh_inet =3D pfil_head_get(PFIL_TYPE_AF, AF_INET); if (pfh_inet =3D=3D NULL) return ENOENT; +#ifdef INET6 + pfh_inet6 =3D pfil_head_get(PFIL_TYPE_AF, AF_INET6); + if (pfh_inet6 =3D=3D NULL) + return ENOENT; +#endif =20 pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet); pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet); +#ifdef INET6 + pfil_remove_hook(ipfw_check_in, NULL, PFIL_IN | PFIL_WAITOK, pfh_inet6); + pfil_remove_hook(ipfw_check_out, NULL, PFIL_OUT | PFIL_WAITOK, pfh_inet6); +#endif =20 return 0; } --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBOOdoXY6L6fI4GtQRAqiXAKCQqRtT1sGm1kabil1RhplV18tmygCfdrpN lKQAknPNwXFtZbxAxr7v49E= =O68v -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 4 09:57:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D4A316A4CE for ; Sat, 4 Sep 2004 09:57:14 +0000 (GMT) Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2BDE543D53 for ; Sat, 4 Sep 2004 09:57:14 +0000 (GMT) (envelope-from sstahl@shaw.ca) Received: from pd2mr7so.prod.shaw.ca (pd2mr7so-qfe3.prod.shaw.ca [10.0.141.10])2004))freebsd-ipfw@freebsd.org; Sat, 04 Sep 2004 03:01:28 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd2mr7so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I3I00F95EEGSJA0@pd2mr7so.prod.shaw.ca> for freebsd-ipfw@freebsd.org; Sat, 04 Sep 2004 03:01:28 -0600 (MDT) Received: from scott (S0106004005833f5a.ss.shawcable.net [70.64.124.53]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I3I00G1IEECWO@l-daemon> for freebsd-ipfw@freebsd.org; Sat, 04 Sep 2004 03:01:28 -0600 (MDT) Date: Sat, 04 Sep 2004 03:01:26 -0600 From: Scott Stahl To: "Freebsd-Ipfw@Freebsd. Org" Message-id: <0I3I00G1KEEFWO@l-daemon> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook, Build 11.0.5207 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Thread-index: AcSSXcIHG3Ijy2yQTWOG41YlbBen6Q== Subject: Proftp ipfw rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 09:57:14 -0000 I need to allow access to my ftp server and am having problems. I have the following in my proftpd.conf: PassivePorts 49152 65534 I also have the following in my ipfw.conf: add 02500 allow tcp from any to any 49152-65534 This doesn't seem to work unless I disable the firewall. Any help would be greatly appreciated. Scott. From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 4 11:30:49 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF33A16A4CE for ; Sat, 4 Sep 2004 11:30:49 +0000 (GMT) Received: from ctb-mesg5.saix.net (ctb-mesg5.saix.net [196.25.240.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EA6843D46 for ; Sat, 4 Sep 2004 11:30:48 +0000 (GMT) (envelope-from greg@propdata.co.za) Received: from [192.168.0.6] (nngy-87-239.telkomadsl.co.za [165.165.87.239]) by ctb-mesg5.saix.net (Postfix) with ESMTP id 73A07D5C7 for ; Sat, 4 Sep 2004 13:30:45 +0200 (SAST) From: Greg Armer To: IPFW List Message-Id: <1094297495.15945.7.camel@fyre.codelounge.co.za> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Sat, 04 Sep 2004 13:31:35 +0200 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: [Fwd: Re: Proftp ipfw rule] X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 11:30:49 -0000 I set up proftpd with: PassivePorts 10050 10080 and ipfw rules as follows, add allow tcp from any to any established add allow tcp from any to any 21 setup add allow tcp from any to any 10050-10080 Works like a charm HTH Greg On Sat, 2004-09-04 at 11:01, Scott Stahl wrote: > I need to allow access to my ftp server and am having problems. > > I have the following in my proftpd.conf: > > PassivePorts 49152 65534 > > I also have the following in my ipfw.conf: > > add 02500 allow tcp from any to any 49152-65534 > > This doesn't seem to work unless I disable the firewall. Any help would be > greatly appreciated. > > Scott. > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 4 16:42:31 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CA7616A4CE for ; Sat, 4 Sep 2004 16:42:31 +0000 (GMT) Received: from smtp4.brturbo.com (smtp4.brturbo.com [200.199.201.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BC2343D31 for ; Sat, 4 Sep 2004 16:42:30 +0000 (GMT) (envelope-from marcio@lists.slchapeco.org) Received: from [192.168.157.1] (201-003-213-146.fnsce7003.dsl.brasiltelecom.net.br [201.3.213.146]) by smtp4.brturbo.com (Postfix) with ESMTP id A6C9B33E87 for ; Sat, 4 Sep 2004 13:42:27 -0300 (BRT) Message-ID: <4139F07B.5090102@lists.slchapeco.org> Date: Sat, 04 Sep 2004 13:42:35 -0300 From: =?ISO-8859-1?Q?M=E1rcio_Luciano_Donada?= Organization: =?ISO-8859-1?Q?M=E1rcio_Luciano_Donada?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <0I3I00G1KEEFWO@l-daemon> In-Reply-To: <0I3I00G1KEEFWO@l-daemon> X-Enigmail-Version: 0.85.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: Proftp ipfw rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: marcio@lists.slchapeco.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 16:42:31 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Stahl wrote: | I need to allow access to my ftp server and am having problems. | | I have the following in my proftpd.conf: | | PassivePorts 49152 65534 | | I also have the following in my ipfw.conf: | | add 02500 allow tcp from any to any 49152-65534 | | This doesn't seem to work unless I disable the firewall. Any help would be | greatly appreciated. | | Scott. | Good Day A setting in the natd.conf this options punch_fw (more information man natd) in case of the gateway the network. []'s Márcio -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBOfB7diUaDDnLZAcRAhOcAKC/Yac5X8mtAPFFKug+dDdLpQBLhgCgpAsI YkFUsRz49M32APafVAmUJ/I= =ts4H -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 4 21:31:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B53DC16A4CE for ; Sat, 4 Sep 2004 21:31:24 +0000 (GMT) Received: from smtp1.brturbo.com (smtp1.brturbo.com [200.199.201.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74CC143D39 for ; Sat, 4 Sep 2004 21:31:24 +0000 (GMT) (envelope-from marcio@lists.slchapeco.org) Received: from [192.168.157.1] (201-003-213-146.fnsce7003.dsl.brasiltelecom.net.br [201.3.213.146]) by smtp1.brturbo.com (Postfix) with ESMTP id BCA813428 for ; Sat, 4 Sep 2004 18:31:19 -0300 (BRT) Message-ID: <413A342F.2000701@lists.slchapeco.org> Date: Sat, 04 Sep 2004 18:31:27 -0300 From: =?ISO-8859-1?Q?M=E1rcio_Luciano_Donada?= Organization: =?ISO-8859-1?Q?M=E1rcio_Luciano_Donada?= User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.85.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: NATD x IPFW2 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: marcio@lists.slchapeco.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2004 21:31:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi. I am user FreeBSD 4.9-RELEASE-p11. Problems in options punch_fw of natd how much I use the IPFW2, natd.con with this optons is not executed in the boot system operation. My rc.conf is: firewall_enable="YES" firewall_script="/etc/firewall/firewall.conf" firewall_type="OPEN" firewall_quiet="NO" firewall_logging="YES" natd_enable="YES" natd_flags="-l -f /etc/firewall/natd.conf" In the kernel: options IPDIVERT options IPFW2 options IPFIREWALL options IPFIREWALL_VERBOSE_LIMIT=200 options IPFIREWALL_FORWARD options INCLUDE_CONFIG_FILE options IPFIREWALL_VERBOSE options DUMMYNET options divert in firewall.conf: ${fwcmd} add divert natd all from ${rede_ap101} to any out xmit ${interface_tun} ${fwcmd} add divert natd all from any to ${ip_tun} in recv ${interface_tun} Tank-you OBS: Soory my ingles! []'s Márcio -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBOjQudiUaDDnLZAcRAuziAJkBwOERoz1wS1+s9rjwbVD+QUYpQACePYG3 /sOqiozabCv7moGIwC9UeTU= =XiYA -----END PGP SIGNATURE-----