From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 6 11:02:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A95BA16A4CE for ; Mon, 6 Dec 2004 11:02:53 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 987A943D58 for ; Mon, 6 Dec 2004 11:02:53 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id iB6B2rl5027829 for ; Mon, 6 Dec 2004 11:02:53 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id iB6B2qoo027823 for ipfw@freebsd.org; Mon, 6 Dec 2004 11:02:52 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 6 Dec 2004 11:02:52 GMT Message-Id: <200412061102.iB6B2qoo027823@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 11:02:53 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported 7 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 6 15:45:45 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37A1616A4CE; Mon, 6 Dec 2004 15:45:45 +0000 (GMT) Received: from mx.us.army.mil (mxoutdr1.us.army.mil [143.69.242.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38C2943D2F; Mon, 6 Dec 2004 15:45:44 +0000 (GMT) (envelope-from martes.wigglesworth@us.army.mil) Received: from mta03.int.dr1.us.army.mil (localhost [127.0.0.1]) by mailrouter.us.army.mil (AKO MTA - mta03 ) with ESMTP id <0I8B00E625408K@mta03.int.dr1.us.army.mil>; Mon, 06 Dec 2004 15:45:36 +0000 (GMT) Received: from [192.168.3.50] ([83.170.20.46]) by mailrouter.us.army.mil (AKO MTA - mta03 ) with ESMTPA id <0I8B00JFS52O22@mta03.int.dr1.us.army.mil>; Mon, 06 Dec 2004 15:45:33 +0000 (GMT) Date: Mon, 06 Dec 2004 18:43:52 +0300 From: martes wigglesworth To: ipfw-mailings , freebsd-questions , newbies freebsd list Message-id: <1102347832.675.41.camel@Mobile1.276NET> Organization: HHC 276 EN BN MIME-version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Content-type: text/plain Content-transfer-encoding: 7BIT Subject: Weird lockup of network traffic... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@us.army.mil List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 15:45:45 -0000 Hello list. I have experienced a very unusual glich, that I cannot explain. All of a sudden, my network router box became non-complient with internet traffic requests. At first, I thought that it was because I had to restart bind 8 with ndc resart, however, after restarting the service, I still continued to recieve failed server errors. After attempting to ping my provider, I noticed that I came accross this message:ping: sendto: No buffer space available ping: sendto: No buffer space available ping: sendto: No buffer space available ping: sendto: No buffer space available What does this indicate? I am still learning, and do not have significant experience/knowledge with any type of frame buffers, or kernel programming. I can only suspect that maybe my firewalling rules clogged some sort of buffers for the kernel. I don't really know, that is the only thing that I can think of. I have the following firewalling rules setup: 00098 124 8614 allow ip from any to any via lo0 00099 0 0 allow ip from 127.0.0.1 to 127.0.0.1 00100 617 69897 allow tcp from any to any dst-port 22 setup keep-state 00102 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port 67,68 setup keep-state 00103 0 0 allow udp from any to any dst-port 53 via keep-state 00104 685 79362 deny udp from any to any dst-port 137,138,513 00106 0 0 allow udp from any to any dst-port 33435-33524 keep-state 00110 0 0 allow log ip from any to { 192.168.1.0/24 or dst-ip 192.168.2.0/24 } in recv sis0 00200 15704 10185681 divert 8668 ip from any to any via sis0 00300 6267 8810869 queue 1 log ip from any to 192.168.1.0/24 out { xmit xl0 or xmit rl0 } 00301 1715 777060 queue 2 log ip from any to 192.168.2.0/24 out { xmit xl0 or xmit rl0 } 65535 25856 10939503 allow ip from any to any My pipe configs are as follows: 00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 00002: 128.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 q00001: weight 1 pipe 1 50 sl. 4 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 12 ip 0.0.0.0/0 192.168.1.28/0 56 4856 0 0 0 15 ip 0.0.0.0/0 192.168.1.31/0 136 20860 0 0 0 26 ip 0.0.0.0/0 192.168.1.10/0 6294 9165950 0 0 0 35 ip 0.0.0.0/0 192.168.1.51/0 46 5351 0 0 0 q00002: weight 1 pipe 2 50 sl. 4 queues (64 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 11 ip 0.0.0.0/0 192.168.2.27/0 29 4396 0 0 0 13 ip 0.0.0.0/0 192.168.2.29/0 156 62105 0 0 0 44 ip 0.0.0.0/0 192.168.2.60/0 1659 812626 0 0 0 53 ip 0.0.0.0/0 192.168.2.37/0 26 1176 0 0 0 Any help is much appreciated. -- Respectfully, M.G.W. System: Asus M6N AMD Duron 256MB RAM 40GB HD 10/100 NIC BSD-5.2.1-RELEASE From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 6 17:02:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75B6616A4CE; Mon, 6 Dec 2004 17:02:24 +0000 (GMT) Received: from mx.us.army.mil (mxoutdr1.us.army.mil [143.69.242.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1D0443D5D; Mon, 6 Dec 2004 17:02:23 +0000 (GMT) (envelope-from martes.wigglesworth@us.army.mil) Received: from mta06.int.dr1.us.army.mil (localhost [127.0.0.1]) by mailrouter.us.army.mil (AKO MTA - mta06 ) with ESMTP id <0I8B00GZ28NVIN@mta06.int.dr1.us.army.mil>; Mon, 06 Dec 2004 17:02:19 +0000 (GMT) Received: from [192.168.3.50] ([83.170.20.46]) by mailrouter.us.army.mil (AKO MTA - mta06 ) with ESMTPA id <0I8B00J068N6UH@mta06.int.dr1.us.army.mil>; Mon, 06 Dec 2004 17:02:15 +0000 (GMT) Date: Mon, 06 Dec 2004 20:01:00 +0300 From: martes wigglesworth In-reply-to: <1102350903.43918.5.camel@jose.hostarica.net> To: jose@hostarica.com Message-id: <1102352460.675.70.camel@Mobile1.276NET> Organization: HHC 276 EN BN MIME-version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Content-type: text/plain Content-transfer-encoding: 7BIT References: <1102347832.675.41.camel@Mobile1.276NET> <1102350903.43918.5.camel@jose.hostarica.net> cc: ipfw-mailings cc: newbies freebsd list cc: freebsd-questions Subject: Re: Weird lockup of network traffic... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@us.army.mil List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 17:02:24 -0000 I only listed the rules that are relivant to my assumption, hence the listing of the pipes. My inquiry was primarily to try to figure out what was cousing the routing table glich, or whatever was cousing the pings, and all other traffic, to be dumped, prior to being transmitted. I have another firewall, behind this rate limiter, so if you could give any assistance with the buffer errors, it would be most appreciated. -- Respectfully, Martes G Wigglesworth HHC 276 EN BN APO AE 09334 martes.wigglesworth@us.army.mil From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 6 19:58:07 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC53B16A4CE; Mon, 6 Dec 2004 19:58:07 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B98343D6A; Mon, 6 Dec 2004 19:58:07 +0000 (GMT) (envelope-from jose@hostarica.net) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 9E001F7F1; Mon, 6 Dec 2004 10:36:27 -0600 (CST) Received: from jose.hostarica.net (unknown [192.168.0.69]) by mx.hostarica.com (Postfix) with ESMTP id 4123EF7EF; Mon, 6 Dec 2004 10:36:26 -0600 (CST) From: Jose Hidalgo Herrera To: martes.wigglesworth@us.army.mil In-Reply-To: <1102347832.675.41.camel@Mobile1.276NET> References: <1102347832.675.41.camel@Mobile1.276NET> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-pMjhHMtGRdU+5qgf3Q9a" Organization: Corp. Hostarica Date: Mon, 06 Dec 2004 10:35:03 -0600 Message-Id: <1102350903.43918.5.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port X-Virus-Scanned: by amavisd 0.1 cc: ipfw-mailings cc: newbies freebsd list cc: jose@hostarica.com cc: freebsd-questions Subject: Re: Weird lockup of network traffic... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 19:58:08 -0000 --=-pMjhHMtGRdU+5qgf3Q9a Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable It seem you need a "check-state" rule somewhere ! You also have very insecure sets your rule #99 its a waste,=20 you use keep-state, but never match the=20 dynamic rules with check-state Give me your complete set and I'll try to=20 fix it. El lun, 06-12-2004 a las 18:43 +0300, martes wigglesworth escribi=F3: > Hello list. >=20 > I have experienced a very unusual glich, that I cannot explain. All of > a sudden, my network router box became non-complient with internet > traffic requests. At first, I thought that it was because I had to > restart bind 8 with ndc resart, however, after restarting the service, I > still continued to recieve failed server errors. After attempting to > ping my provider, I noticed that I came accross this message:ping: >=20 > sendto: No buffer space available > ping: sendto: No buffer space available > ping: sendto: No buffer space available > ping: sendto: No buffer space available >=20 > What does this indicate? I am still learning, and do not have > significant experience/knowledge with any type of frame buffers, or > kernel programming. I can only suspect that maybe my firewalling rules > clogged some sort of buffers for the kernel. I don't really know, that > is the only thing that I can think of. I have the following firewalling > rules setup: >=20 > 00098 124 8614 allow ip from any to any via lo0 > 00099 0 0 allow ip from 127.0.0.1 to 127.0.0.1 > 00100 617 69897 allow tcp from any to any dst-port 22 setup > keep-state > 00102 0 0 allow udp from 0.0.0.0 to 255.255.255.255 dst-port > 67,68 setup keep-state > 00103 0 0 allow udp from any to any dst-port 53 via > keep-state > 00104 685 79362 deny udp from any to any dst-port 137,138,513 > 00106 0 0 allow udp from any to any dst-port 33435-33524 > keep-state > 00110 0 0 allow log ip from any to { 192.168.1.0/24 or dst-ip > 192.168.2.0/24 } in recv sis0 > 00200 15704 10185681 divert 8668 ip from any to any via sis0 > 00300 6267 8810869 queue 1 log ip from any to 192.168.1.0/24 out { > xmit xl0 or xmit rl0 } > 00301 1715 777060 queue 2 log ip from any to 192.168.2.0/24 out { > xmit xl0 or xmit rl0 } > 65535 25856 10939503 allow ip from any to any >=20 > My pipe configs are as follows: > 00001: 256.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > 00002: 128.000 Kbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > q00001: weight 1 pipe 1 50 sl. 4 queues (64 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 12 ip 0.0.0.0/0 192.168.1.28/0 56 4856 0 =20 > 0 0 > 15 ip 0.0.0.0/0 192.168.1.31/0 136 20860 0 =20 > 0 0 > 26 ip 0.0.0.0/0 192.168.1.10/0 6294 9165950 0 =20 > 0 0 > 35 ip 0.0.0.0/0 192.168.1.51/0 46 5351 0 =20 > 0 0 > q00002: weight 1 pipe 2 50 sl. 4 queues (64 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte Drp > 11 ip 0.0.0.0/0 192.168.2.27/0 29 4396 0 =20 > 0 0 > 13 ip 0.0.0.0/0 192.168.2.29/0 156 62105 0 =20 > 0 0 > 44 ip 0.0.0.0/0 192.168.2.60/0 1659 812626 0 =20 > 0 0 > 53 ip 0.0.0.0/0 192.168.2.37/0 26 1176 0 =20 > 0 0 >=20 > Any help is much appreciated. >=20 --=20 Jose Hidalgo Herrera Corp. Hostarica --=-pMjhHMtGRdU+5qgf3Q9a Content-Type: application/pgp-signature; name=signature.asc Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBtIo3Mb674RVSRIARAvc7AKCSSh+X19rVhqSr6XWYU060yDnnAgCeI0SI JGc2e9FWp15ge/Ywgx6AuLg= =mQ+3 -----END PGP SIGNATURE----- --=-pMjhHMtGRdU+5qgf3Q9a-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Dec 6 21:27:25 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0CF216A4CE; Mon, 6 Dec 2004 21:27:25 +0000 (GMT) Received: from mx.hostarica.com (mx.hostarica.com [196.40.45.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60CF543D54; Mon, 6 Dec 2004 21:27:25 +0000 (GMT) (envelope-from jose@hostarica.net) Received: from localhost (localhost.hostarica.com [127.0.0.1]) by mx.hostarica.com (Postfix) with ESMTP id 21AF7F6A1; Mon, 6 Dec 2004 15:28:49 -0600 (CST) Received: from jose.hostarica.net (unknown [192.168.0.69]) by mx.hostarica.com (Postfix) with ESMTP id D7A4AF6A0; Mon, 6 Dec 2004 15:28:47 -0600 (CST) From: Jose Hidalgo Herrera To: martes.wigglesworth@us.army.mil In-Reply-To: <1102352460.675.70.camel@Mobile1.276NET> References: <1102347832.675.41.camel@Mobile1.276NET> <1102350903.43918.5.camel@jose.hostarica.net> <1102352460.675.70.camel@Mobile1.276NET> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-MGOpuCowy6amkGcuGtIz" Organization: Corp. Hostarica Date: Mon, 06 Dec 2004 15:27:17 -0600 Message-Id: <1102368437.77087.6.camel@jose.hostarica.net> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port X-Virus-Scanned: by amavisd 0.1 cc: ipfw-mailings cc: newbies freebsd list cc: jose@hostarica.com cc: freebsd-questions Subject: Re: Weird lockup of network traffic... X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jose@hostarica.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 21:27:26 -0000 --=-MGOpuCowy6amkGcuGtIz Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable If you really thing its a buffer[1] problem try: netstat -m netstat -sfinet=20 And if you find problems recompile with: options NMBCLUSTERS=3D man mbuf [1]: mbuf clusters exhausted My 2 cents with the information given. El lun, 06-12-2004 a las 20:01 +0300, martes wigglesworth escribi=F3: > I only listed the rules that are relivant to my assumption, hence the > listing of the pipes. My inquiry was primarily to try to figure out > what was cousing the routing table glich, or whatever was cousing the > pings, and all other traffic, to be dumped, prior to being transmitted.=20 > I have another firewall, behind this rate limiter, so if you could give > any assistance with the buffer errors, it would be most appreciated. =20 --=20 Jose Hidalgo Herrera Corp. Hostarica --=-MGOpuCowy6amkGcuGtIz Content-Type: application/pgp-signature; name=signature.asc Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBtM61Mb674RVSRIARAu69AKCFzYi6OSdhh7oj/FbZbGjDx2YZwQCdH3AF DwFrj/+L+m3vtBJQxEH3gHc= =c4TX -----END PGP SIGNATURE----- --=-MGOpuCowy6amkGcuGtIz-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 9 21:50:34 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E366C16A4CE for ; Thu, 9 Dec 2004 21:50:34 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73FAE43D41 for ; Thu, 9 Dec 2004 21:50:34 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iB9LrJPq015744; Thu, 9 Dec 2004 13:53:19 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iB9LrJn6015743; Thu, 9 Dec 2004 13:53:19 -0800 Date: Thu, 9 Dec 2004 13:53:19 -0800 From: Brooks Davis To: Luigi Rizzo Message-ID: <20041209215319.GA12303@odin.ac.hmc.edu> References: <20041129192514.GA7331@odin.ac.hmc.edu> <20041130041932.B91746@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" Content-Disposition: inline In-Reply-To: <20041130041932.B91746@xorpc.icir.org> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: Brooks Davis cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 21:50:35 -0000 --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Nov 30, 2004 at 04:19:32AM -0800, Luigi Rizzo wrote: > i believe the original, old ipfw code used strncmp() to allow for > abbreviations. When i rewrote ipfw2 i did not feel like removing > the feature for fear of introducing backward compatibility problems > with existing files. However I agree that this introduces a > maintainability nightmare and i believe we should move to strcmp(), > especially given that with ipfw2 new option names are coming out > quite frequently. OK, that makes sense. I'd like to propose the following plan: - Disallow new strncmp instances in all branches. - remove strncmp usage in HEAD with the intention of explicitly adding back needed abbreviations when those abbreviations are both: - sane (no single letter appreviations, reasionable edit distance from other options, either obvious shorthand or reasionbly mnemonic). - actually used be someone (this is key, espeicaly since there are hundreds of possiable values and this isn't a documented feature as far as I can tell.) If need be we could implement a more complex stratigy for deprecation where we use a new matching function and warn about short matches, but I'm not sure that's necessicary. -- Brooks --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBuMlOXY6L6fI4GtQRAn4VAKC9ifH3iQJ9lhQnL/vuZahFrT/iMACeN73J /KIHi8HQOZClfeuTLcM7MMY= =jg7M -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 9 23:08:25 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2E4116A4CE for ; Thu, 9 Dec 2004 23:08:25 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0DF043D5C for ; Thu, 9 Dec 2004 23:08:25 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.8) with ESMTP id iB9N8PLj006089; Thu, 9 Dec 2004 15:08:25 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id iB9N8LNw006088; Thu, 9 Dec 2004 15:08:21 -0800 (PST) (envelope-from rizzo) Date: Thu, 9 Dec 2004 15:08:21 -0800 From: Luigi Rizzo To: Brooks Davis Message-ID: <20041209150821.B5606@xorpc.icir.org> References: <20041129192514.GA7331@odin.ac.hmc.edu> <20041130041932.B91746@xorpc.icir.org> <20041209215319.GA12303@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20041209215319.GA12303@odin.ac.hmc.edu>; from brooks@one-eyed-alien.net on Thu, Dec 09, 2004 at 01:53:19PM -0800 cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 23:08:26 -0000 the plan is fine with me. i wonder if one couldn't temporarily replace strncmp with a wrapper that does behave as strncmp, but issues a warning in those cases where the results would be ambiguous. At least in this way one could tell if there is a problem anywhere before removing it. cheers luigi On Thu, Dec 09, 2004 at 01:53:19PM -0800, Brooks Davis wrote: > On Tue, Nov 30, 2004 at 04:19:32AM -0800, Luigi Rizzo wrote: > > i believe the original, old ipfw code used strncmp() to allow for > > abbreviations. When i rewrote ipfw2 i did not feel like removing > > the feature for fear of introducing backward compatibility problems > > with existing files. However I agree that this introduces a > > maintainability nightmare and i believe we should move to strcmp(), > > especially given that with ipfw2 new option names are coming out > > quite frequently. > > OK, that makes sense. > > I'd like to propose the following plan: > > - Disallow new strncmp instances in all branches. > > - remove strncmp usage in HEAD with the intention of explicitly adding > back needed abbreviations when those abbreviations are both: > - sane (no single letter appreviations, reasionable edit distance > from other options, either obvious shorthand or reasionbly mnemonic). > - actually used be someone (this is key, espeicaly since there are > hundreds of possiable values and this isn't a documented > feature as far as I can tell.) > > If need be we could implement a more complex stratigy for deprecation > where we use a new matching function and warn about short matches, but > I'm not sure that's necessicary. > > -- Brooks From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 9 23:25:26 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B28F016A4CE for ; Thu, 9 Dec 2004 23:25:26 +0000 (GMT) Received: from smtpx.spintech.ro (smtpx.spintech.ro [81.181.24.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 663A343D1D for ; Thu, 9 Dec 2004 23:25:26 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from smtpx.spintech.ro (jail-clamsmtp [15.0.0.1]) by smtpx.spintech.ro (Postfix) with ESMTP id 7C3EF3A514 for ; Thu, 9 Dec 2004 22:10:54 +0000 (UTC) Received: from [81.181.24.230] (beastie.spintech.ro [81.181.24.230]) by smtpx.spintech.ro (Postfix) with ESMTP id 4CF703A4F2 for ; Thu, 9 Dec 2004 22:10:54 +0000 (UTC) Message-ID: <41B8DEEA.8080802@spintech.ro> Date: Fri, 10 Dec 2004 01:25:30 +0200 From: Alin-Adrian Anton User-Agent: Mozilla Thunderbird 0.8 (X11/20041016) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV using ClamSMTP Subject: 5.3 ipfw states in bridged mode X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 23:25:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, I noticed ipfilter and pf are not capable yet of correctly handling traffic states when run in bridged enviroments. I tried ipfw to see if it works, but either I did a mistake, either it doesn't work either. I can block any traffic with IPFW on my bridge (3 NIC cards bridged together), as long as I evoid using keep-state / check-state keywords. The bridge and ipfw code is loaded as module. I just wanted to check. So, can anyone please tell me, is IPFW able to correctly keep all states in bridged enviroments? (5.3-RELEASE) Thanks a lot! Yours, - -- Alin-Adrian Anton Spintech Systems GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBuN7q0yNjnR4v/y4RAgkLAKDAJCVt8t4N8UhCbGc8mZQzeoHKkACeLTvP /Mf0yahuQBqpb6oqWX34w/k= =p8+P -----END PGP SIGNATURE----- From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 9 23:30:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B75C116A4CE for ; Thu, 9 Dec 2004 23:30:53 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9866343D46 for ; Thu, 9 Dec 2004 23:30:53 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.8) with ESMTP id iB9NUrAC006420; Thu, 9 Dec 2004 15:30:53 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id iB9NUrgX006419; Thu, 9 Dec 2004 15:30:53 -0800 (PST) (envelope-from rizzo) Date: Thu, 9 Dec 2004 15:30:53 -0800 From: Luigi Rizzo To: Alin-Adrian Anton Message-ID: <20041209153053.D5606@xorpc.icir.org> References: <41B8DEEA.8080802@spintech.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <41B8DEEA.8080802@spintech.ro>; from aanton@spintech.ro on Fri, Dec 10, 2004 at 01:25:30AM +0200 cc: ipfw@freebsd.org Subject: Re: 5.3 ipfw states in bridged mode X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 23:30:53 -0000 On Fri, Dec 10, 2004 at 01:25:30AM +0200, Alin-Adrian Anton wrote: > -----BEGIN PGP SIGNED MESSAGE----- ... > I just wanted to check. So, can anyone please tell me, is IPFW able to > correctly keep all states in bridged enviroments? (5.3-RELEASE) it is by design, yes. there is no difference in operation between bridged and routed mode. luigi > Thanks a lot! > > Yours, > - -- > Alin-Adrian Anton > Spintech Systems > GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) > gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (FreeBSD) > > iD8DBQFBuN7q0yNjnR4v/y4RAgkLAKDAJCVt8t4N8UhCbGc8mZQzeoHKkACeLTvP > /Mf0yahuQBqpb6oqWX34w/k= > =p8+P > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Dec 9 23:35:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3107A16A4CE for ; Thu, 9 Dec 2004 23:35:52 +0000 (GMT) Received: from smtpx.spintech.ro (smtpx.spintech.ro [81.181.24.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1CEE43D60 for ; Thu, 9 Dec 2004 23:35:51 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from smtpx.spintech.ro (jail-clamsmtp [15.0.0.1]) by smtpx.spintech.ro (Postfix) with ESMTP id 63BD03A4F2; Thu, 9 Dec 2004 22:21:20 +0000 (UTC) Received: from [81.181.24.230] (beastie.spintech.ro [81.181.24.230]) by smtpx.spintech.ro (Postfix) with ESMTP id 1C8D43A4DF; Thu, 9 Dec 2004 22:21:20 +0000 (UTC) Message-ID: <41B8E15C.6090308@spintech.ro> Date: Fri, 10 Dec 2004 01:35:56 +0200 From: Alin-Adrian Anton User-Agent: Mozilla Thunderbird 0.8 (X11/20041016) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo References: <41B8DEEA.8080802@spintech.ro> <20041209153053.D5606@xorpc.icir.org> In-Reply-To: <20041209153053.D5606@xorpc.icir.org> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV using ClamSMTP cc: ipfw@freebsd.org Subject: Re: 5.3 ipfw states in bridged mode X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Dec 2004 23:35:52 -0000 Luigi Rizzo wrote: > I just wanted to check. So, can anyone please tell me, is IPFW able to > correctly keep all states in bridged enviroments? (5.3-RELEASE) > > >> it is by design, yes. >> there is no difference in operation between bridged and routed mode. > Thanks, I'll hit the sack and check it out again tomorrow.. Yours, -- Alin-Adrian Anton Spintech Systems GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 10 00:17:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0430016A4CE for ; Fri, 10 Dec 2004 00:17:13 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1EAD43D31 for ; Fri, 10 Dec 2004 00:17:12 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iBA0JwrV009701; Thu, 9 Dec 2004 16:19:58 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iBA0JwjM009694; Thu, 9 Dec 2004 16:19:58 -0800 Date: Thu, 9 Dec 2004 16:19:58 -0800 From: Brooks Davis To: Luigi Rizzo Message-ID: <20041210001958.GA8377@odin.ac.hmc.edu> References: <20041129192514.GA7331@odin.ac.hmc.edu> <20041130041932.B91746@xorpc.icir.org> <20041209215319.GA12303@odin.ac.hmc.edu> <20041209150821.B5606@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline In-Reply-To: <20041209150821.B5606@xorpc.icir.org> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: Brooks Davis cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 00:17:13 -0000 --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 09, 2004 at 03:08:21PM -0800, Luigi Rizzo wrote: > the plan is fine with me. > i wonder if one couldn't temporarily replace strncmp with a wrapper that > does behave as strncmp, but issues a warning in those cases where > the results would be ambiguous. > At least in this way one could tell if there is a problem > anywhere before removing it. That would be easy enough. We could just ship 6.x that way and switch to only using explicit abbreviations in 7.x giving us a nice deprecation schedule without too much maintenance hassle. -- Brooks > On Thu, Dec 09, 2004 at 01:53:19PM -0800, Brooks Davis wrote: > > On Tue, Nov 30, 2004 at 04:19:32AM -0800, Luigi Rizzo wrote: > > > i believe the original, old ipfw code used strncmp() to allow for > > > abbreviations. When i rewrote ipfw2 i did not feel like removing > > > the feature for fear of introducing backward compatibility problems > > > with existing files. However I agree that this introduces a > > > maintainability nightmare and i believe we should move to strcmp(), > > > especially given that with ipfw2 new option names are coming out > > > quite frequently. > >=20 > > OK, that makes sense. > >=20 > > I'd like to propose the following plan: > >=20 > > - Disallow new strncmp instances in all branches. > >=20 > > - remove strncmp usage in HEAD with the intention of explicitly adding > > back needed abbreviations when those abbreviations are both: > > - sane (no single letter appreviations, reasionable edit distance > > from other options, either obvious shorthand or reasionbly mnemon= ic). > > - actually used be someone (this is key, espeicaly since there are > > hundreds of possiable values and this isn't a documented > > feature as far as I can tell.) > >=20 > > If need be we could implement a more complex stratigy for deprecation > > where we use a new matching function and warn about short matches, but > > I'm not sure that's necessicary. > >=20 > > -- Brooks >=20 --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBuOuuXY6L6fI4GtQRAn8vAKCAKTs+T15UmiTTKGh0YEGCUVXIpACg1SxI A24pi0CLKRYBh5u4h50sLrs= =oJtq -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 10 00:23:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAD7716A4CE for ; Fri, 10 Dec 2004 00:23:39 +0000 (GMT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D70E43D41 for ; Fri, 10 Dec 2004 00:23:39 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.8) with ESMTP id iBA0Ndvv006933; Thu, 9 Dec 2004 16:23:39 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id iBA0Ndsi006932; Thu, 9 Dec 2004 16:23:39 -0800 (PST) (envelope-from rizzo) Date: Thu, 9 Dec 2004 16:23:39 -0800 From: Luigi Rizzo To: Brooks Davis Message-ID: <20041209162339.A6743@xorpc.icir.org> References: <20041129192514.GA7331@odin.ac.hmc.edu> <20041130041932.B91746@xorpc.icir.org> <20041209150821.B5606@xorpc.icir.org> <20041210001958.GA8377@odin.ac.hmc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20041210001958.GA8377@odin.ac.hmc.edu>; from brooks@one-eyed-alien.net on Thu, Dec 09, 2004 at 04:19:58PM -0800 cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 00:23:39 -0000 On Thu, Dec 09, 2004 at 04:19:58PM -0800, Brooks Davis wrote: ... > > i wonder if one couldn't temporarily replace strncmp with a wrapper that > > does behave as strncmp, but issues a warning in those cases where > > the results would be ambiguous. > > At least in this way one could tell if there is a problem > > anywhere before removing it. > > That would be easy enough. We could just ship 6.x that way and switch > to only using explicit abbreviations in 7.x giving us a nice deprecation > schedule without too much maintenance hassle. i was actually thinking of putting the wrapper in 5.x as well because there are no functional changes but the added bonus of pointing out ambiguous and possibly unwanted behaviours luigi > -- Brooks > > > On Thu, Dec 09, 2004 at 01:53:19PM -0800, Brooks Davis wrote: > > > On Tue, Nov 30, 2004 at 04:19:32AM -0800, Luigi Rizzo wrote: > > > > i believe the original, old ipfw code used strncmp() to allow for > > > > abbreviations. When i rewrote ipfw2 i did not feel like removing > > > > the feature for fear of introducing backward compatibility problems > > > > with existing files. However I agree that this introduces a > > > > maintainability nightmare and i believe we should move to strcmp(), > > > > especially given that with ipfw2 new option names are coming out > > > > quite frequently. > > > > > > OK, that makes sense. > > > > > > I'd like to propose the following plan: > > > > > > - Disallow new strncmp instances in all branches. > > > > > > - remove strncmp usage in HEAD with the intention of explicitly adding > > > back needed abbreviations when those abbreviations are both: > > > - sane (no single letter appreviations, reasionable edit distance > > > from other options, either obvious shorthand or reasionbly mnemonic). > > > - actually used be someone (this is key, espeicaly since there are > > > hundreds of possiable values and this isn't a documented > > > feature as far as I can tell.) > > > > > > If need be we could implement a more complex stratigy for deprecation > > > where we use a new matching function and warn about short matches, but > > > I'm not sure that's necessicary. > > > > > > -- Brooks > > > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 10 00:33:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25F2416A4CE for ; Fri, 10 Dec 2004 00:33:54 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7B1443D69 for ; Fri, 10 Dec 2004 00:33:53 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id iBA0aeaO013187; Thu, 9 Dec 2004 16:36:40 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id iBA0aew9013186; Thu, 9 Dec 2004 16:36:40 -0800 Date: Thu, 9 Dec 2004 16:36:40 -0800 From: Brooks Davis To: Luigi Rizzo Message-ID: <20041210003640.GB8377@odin.ac.hmc.edu> References: <20041129192514.GA7331@odin.ac.hmc.edu> <20041130041932.B91746@xorpc.icir.org> <20041209150821.B5606@xorpc.icir.org> <20041210001958.GA8377@odin.ac.hmc.edu> <20041209162339.A6743@xorpc.icir.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mxv5cy4qt+RJ9ypb" Content-Disposition: inline In-Reply-To: <20041209162339.A6743@xorpc.icir.org> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: Brooks Davis cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 00:33:54 -0000 --mxv5cy4qt+RJ9ypb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 09, 2004 at 04:23:39PM -0800, Luigi Rizzo wrote: > On Thu, Dec 09, 2004 at 04:19:58PM -0800, Brooks Davis wrote: > ... > > > i wonder if one couldn't temporarily replace strncmp with a wrapper t= hat > > > does behave as strncmp, but issues a warning in those cases where > > > the results would be ambiguous. > > > At least in this way one could tell if there is a problem > > > anywhere before removing it. > >=20 > > That would be easy enough. We could just ship 6.x that way and switch > > to only using explicit abbreviations in 7.x giving us a nice deprecation > > schedule without too much maintenance hassle. >=20 > i was actually thinking of putting the wrapper in 5.x as well > because there are no functional changes but the added bonus of > pointing out ambiguous and possibly unwanted behaviours Sounds reasionable. -- Brooks > luigi > > -- Brooks > >=20 > > > On Thu, Dec 09, 2004 at 01:53:19PM -0800, Brooks Davis wrote: > > > > On Tue, Nov 30, 2004 at 04:19:32AM -0800, Luigi Rizzo wrote: > > > > > i believe the original, old ipfw code used strncmp() to allow for > > > > > abbreviations. When i rewrote ipfw2 i did not feel like removing > > > > > the feature for fear of introducing backward compatibility proble= ms > > > > > with existing files. However I agree that this introduces a > > > > > maintainability nightmare and i believe we should move to strcmp(= ), > > > > > especially given that with ipfw2 new option names are coming out > > > > > quite frequently. > > > >=20 > > > > OK, that makes sense. > > > >=20 > > > > I'd like to propose the following plan: > > > >=20 > > > > - Disallow new strncmp instances in all branches. > > > >=20 > > > > - remove strncmp usage in HEAD with the intention of explicitly ad= ding > > > > back needed abbreviations when those abbreviations are both: > > > > - sane (no single letter appreviations, reasionable edit distan= ce > > > > from other options, either obvious shorthand or reasionbly mn= emonic). > > > > - actually used be someone (this is key, espeicaly since there = are > > > > hundreds of possiable values and this isn't a documented > > > > feature as far as I can tell.) > > > >=20 > > > > If need be we could implement a more complex stratigy for deprecati= on > > > > where we use a new matching function and warn about short matches, = but > > > > I'm not sure that's necessicary. > > > >=20 > > > > -- Brooks > > >=20 > > --=20 > > Any statement of the form "X is the one, true Y" is FALSE. > > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 >=20 --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --mxv5cy4qt+RJ9ypb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBuO+XXY6L6fI4GtQRAvX/AKCMKyhK3XaCQVPn8bUfOUzYr7CJAwCg0zmH e02CHVb6scAAnmmN9XJ+HfI= =SD50 -----END PGP SIGNATURE----- --mxv5cy4qt+RJ9ypb-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 10 08:58:47 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 310EF16A4CE for ; Fri, 10 Dec 2004 08:58:47 +0000 (GMT) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADF0A43D2F for ; Fri, 10 Dec 2004 08:58:46 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (unknown [82.233.239.98]) by postfix4-2.free.fr (Postfix) with ESMTP id 2F0BF255B08; Fri, 10 Dec 2004 09:58:44 +0100 (CET) Received: by tatooine.tataz.chchile.org (Postfix, from userid 1000) id 097EA412C; Fri, 10 Dec 2004 09:56:57 +0100 (CET) Date: Fri, 10 Dec 2004 09:56:56 +0100 From: Jeremie Le Hen To: Alin-Adrian Anton Message-ID: <20041210085656.GJ79919@obiwan.tataz.chchile.org> References: <41B8DEEA.8080802@spintech.ro> <20041209153053.D5606@xorpc.icir.org> <41B8E15C.6090308@spintech.ro> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <41B8E15C.6090308@spintech.ro> User-Agent: Mutt/1.5.6i cc: Luigi Rizzo cc: ipfw@freebsd.org Subject: Re: 5.3 ipfw states in bridged mode X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 08:58:47 -0000 Alin-Adrian, >>> I just wanted to check. So, can anyone please tell me, is IPFW able >>> to correctly keep all states in bridged enviroments? (5.3-RELEASE) >> it is by design, yes. >> there is no difference in operation between bridged and routed mode. > > Thanks, I'll hit the sack and check it out again tomorrow.. You will surely want to read this very recent thread on freebsd-net@. http://docs.freebsd.org/cgi/getmsg.cgi?fetch=18065+0+archive/2004/freebsd-net/20041205.freebsd-net Regards, -- Jeremie Le Hen jeremie@le-hen.org From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 10 10:35:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22F1016A4CE for ; Fri, 10 Dec 2004 10:35:35 +0000 (GMT) Received: from ww4.banrisul.com.br (ww4.banrisul.com.br [200.248.254.100]) by mx1.FreeBSD.org (Postfix) with SMTP id A6A9543D2D for ; Fri, 10 Dec 2004 10:35:33 +0000 (GMT) (envelope-from renato_barreto@banrisul.com.br) Received: from no.name.available by ww4.banrisul.com.br ESMTP; Fri, 10 Dec 2004 08:35:33 -0200 Received: From ne01.dgeral ([10.2.132.23]) by n045.bergs (WebShield SMTP v4.5 MR1a P0803.345); id 1102678567182; Fri, 10 Dec 2004 08:36:07 -0300 Date: Fri, 10 Dec 2004 08:31:16 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-ID: <794C454376DCD6118B3200104B86ECFF0C3F3C7C@n073.banrisul> content-class: urn:content-classes:message X-MS-Has-Attach: X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 X-MS-TNEF-Correlator: Thread-Topic: Firewall bridge mode with ipfw Thread-Index: AcTerABxQrHpfUqCEdmaVgAFXXXGsA== From: "Renato Barreto" To: Subject: Firewall bridge mode with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 10:35:35 -0000 Hi, In a bridge mode firewall (4.10-RELEASE) with IPFW2, how to implement a = more restrict rule to pass MAC packet. If MAC is blocked, bridge don=B4t work. /var/log/security: Dec 10 08:21:47 FB06 /kernel: ipfw: 65000 Accept MAC in via xl0 Dec 10 08:26:14 FB06 /kernel: ipfw: 65000 Accept MAC in via vr0 The rule 65000 is completly open: #ipfw show 65000 6298 309886 allow log ip from any to any layer2 keep-state=20 #/etc/sysctl.conf sysctl net.link.ether.bridge=3D1 sysctl net.link.ether.bridge_ipfw=3D1 sysctl net.link.ether.bridge_cfg=3Dxl0,vr0 TIA, Renato From owner-freebsd-ipfw@FreeBSD.ORG Fri Dec 10 21:28:48 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7FA516A4CE for ; Fri, 10 Dec 2004 21:28:48 +0000 (GMT) Received: from smtpx.spintech.ro (smtpx.spintech.ro [81.181.24.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B65A43D60 for ; Fri, 10 Dec 2004 21:28:48 +0000 (GMT) (envelope-from aanton@spintech.ro) Received: from smtpx.spintech.ro (jail-clamsmtp [15.0.0.1]) by smtpx.spintech.ro (Postfix) with ESMTP id 9DEDB3A535; Fri, 10 Dec 2004 20:14:13 +0000 (UTC) Received: from [81.181.24.230] (beastie.spintech.ro [81.181.24.230]) by smtpx.spintech.ro (Postfix) with ESMTP id 7303F3A534; Fri, 10 Dec 2004 20:14:13 +0000 (UTC) Message-ID: <41BA1515.8040303@spintech.ro> Date: Fri, 10 Dec 2004 23:28:53 +0200 From: Alin-Adrian Anton User-Agent: Mozilla Thunderbird 0.8 (X11/20041016) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jeremie Le Hen References: <41B8DEEA.8080802@spintech.ro> <20041209153053.D5606@xorpc.icir.org> <41B8E15C.6090308@spintech.ro> <20041210085656.GJ79919@obiwan.tataz.chchile.org> In-Reply-To: <20041210085656.GJ79919@obiwan.tataz.chchile.org> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AV-Checked: ClamAV using ClamSMTP cc: freebsd-ipfw@freebsd.org Subject: Re: 5.3 ipfw states in bridged mode X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Dec 2004 21:28:48 -0000 Jeremie Le Hen wrote: > Alin-Adrian, > > >>>> I just wanted to check. So, can anyone please tell me, is IPFW able >>>> to correctly keep all states in bridged enviroments? (5.3-RELEASE) >>> >>>it is by design, yes. >>>there is no difference in operation between bridged and routed mode. >> >>Thanks, I'll hit the sack and check it out again tomorrow.. > > > You will surely want to read this very recent thread on freebsd-net@. > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=18065+0+archive/2004/freebsd-net/20041205.freebsd-net > > Regards, Indeed. Thanks. -- Alin-Adrian Anton Spintech Systems GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 11 14:23:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A93EB16A4CE for ; Sat, 11 Dec 2004 14:23:22 +0000 (GMT) Received: from smtp-out.hotpop.com (smtp-out.hotpop.com [38.113.3.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A5D043D2F for ; Sat, 11 Dec 2004 14:23:22 +0000 (GMT) (envelope-from mastah@phreaker.net) Received: from phreaker.net (kubrick.hotpop.com [38.113.3.103]) by smtp-out.hotpop.com (Postfix) with SMTP id 1A44DB51DFA for ; Sat, 11 Dec 2004 14:23:18 +0000 (UTC) Received: from master.phreaker.net (ts5-a137.Spb.dial.rol.ru [195.190.96.137]) by smtp-2.hotpop.com (Postfix) with ESMTP id 83113B5754A for ; Sat, 11 Dec 2004 14:23:16 +0000 (UTC) Message-Id: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net> X-Sender: mastah@phreaker.net@pop.phreaker.net X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.7 (Beta) Date: Sat, 11 Dec 2004 17:23:09 +0300 To: ipfw@freebsd.org From: Castl Troy Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-HotPOP: ----------------------------------------------- Sent By HotPOP.com FREE Email Get your FREE POP email at www.HotPOP.com ----------------------------------------------- Subject: ipfw vs ipfilter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 14:23:22 -0000 Hello people, Can anybody help me with understanding the difference between ipfilter(ipf) and ipfirewall (ipfw). Any link to docs or info will greatly help me. I use FreeBSD for almost 5 years, but i used only ipfw for packet routing and never use ipfilter for this. I wonder is it "internal" packet routing mechanism or maybe it is just for compatibility with OpenBSD? Sorry if this question is so stupid, but i am really dont know what ipfilter is, man ipf did not help me with understanding the difference. Thanks. Sorry if i mistake list to wich i need send this. From owner-freebsd-ipfw@FreeBSD.ORG Sat Dec 11 16:52:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E049216A4CE for ; Sat, 11 Dec 2004 16:52:55 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15B3843D48 for ; Sat, 11 Dec 2004 16:52:55 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.208] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CdAUI-0002IW-00; Sat, 11 Dec 2004 17:52:54 +0100 Received: from [84.128.131.95] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CdAUH-0001BD-00; Sat, 11 Dec 2004 17:52:54 +0100 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Sat, 11 Dec 2004 17:53:25 +0100 User-Agent: KMail/1.7.1 References: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net> In-Reply-To: <6.2.0.7.1.20041211172253.02128d30@pop.phreaker.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1533716.SFRBSFcDeq"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200412111753.32974.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Castl Troy Subject: Re: ipfw vs ipfilter X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 16:52:56 -0000 --nextPart1533716.SFRBSFcDeq Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 11 December 2004 15:23, Castl Troy wrote: > Hello people, > > Can anybody help me with understanding the difference between ipfilter(ip= f) > and ipfirewall (ipfw). > Any link to docs or info will greatly help me. I use FreeBSD for almost 5 > years, but i used only ipfw for packet routing > and never use ipfilter for this. I wonder is it "internal" packet routing > mechanism or maybe it is just for compatibility with OpenBSD? Sorry if th= is > question is so stupid, but i am really dont know what ipfilter is, > man ipf did not help me with understanding the difference. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html There are quite a few differences between IPFW and IPF or PF (which is the= =20 third firewall software currently available). The short answer is that IPF= W=20 provides a lowlevel filter mostly focused on the IP-layer, while PF provide= s=20 also sophisticated filtering on the TCP/UDP layer. I am not saying it is n= ot=20 possible to filter UDP/TCP with IPFW, but not in the degree as it is possib= le=20 with PF. Included in this point is the focus on static(IPFW) vs. dynamic(P= =46)=20 rules. IPFW provides dynamic rules, but - when compared to PF - a very=20 limited version. One should note, that IPFW is very fast when evaluation=20 static rules, while PF is not as fast with static rules but gains a lot wit= h=20 dynamic rules. Finnally IPFW does not have a network address translation=20 unit in-kernel and needs to divert packets to userland utilities to perform= =20 NAT. PF does that in the kernel and provides - in conjunction with the=20 dynamic rules - very powerful means to do load balancing. The other obvious difference is the ruleset syntax. This is mostly a matte= r=20 of choice. I personally find that PF style rulesets are easier to read. As for PF vs. IPF, in my opinion IPF just provides a subset of what PF can = do. =20 As IPF in the tree is still version 3.x it is lacking quite a few of the ni= ce=20 new features - address pools e.g. So if you want to look at an alternative= =20 to IPFW you better look at PF. More information about PF, as mentioned in the handbook: http://www.openbsd.org/faq/pf/index.html =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1533716.SFRBSFcDeq Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBuyYMXyyEoT62BG0RAl7wAJ9emOCmg5BqJCWZMz6lmyYdIxuM1ACeNgQI DQOe4caMsxsHeTfoKcr+264= =3FA0 -----END PGP SIGNATURE----- --nextPart1533716.SFRBSFcDeq--