From owner-freebsd-ipfw@FreeBSD.ORG Mon May 30 10:29:29 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53FC516A41C for ; Mon, 30 May 2005 10:29:29 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from lakepoint.domeneshop.no (lakepoint.domeneshop.no [194.63.248.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6F0343D1F for ; Mon, 30 May 2005 10:29:28 +0000 (GMT) (envelope-from lists@wm-access.no) Received: from [192.168.8.8] (217-13-3-83.dd.nextgentel.com [217.13.3.83]) (authenticated bits=0) by lakepoint.domeneshop.no (8.12.11/8.12.11) with ESMTP id j4UATQ6o028060; Mon, 30 May 2005 12:29:26 +0200 Message-ID: <429AEAFD.2090404@wm-access.no> Date: Mon, 30 May 2005 12:29:17 +0200 From: =?ISO-8859-1?Q?Sten_Daniel_S=F8rsdal?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: sid@merlin.com.ua References: <1193652258.20050528211841@merlin.com.ua> In-Reply-To: <1193652258.20050528211841@merlin.com.ua> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: home ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2005 10:29:29 -0000 sid@merlin.com.ua wrote: > hi, > im justmarried boy, and i ask my father, how to make best relation > with my wife ? > > his answer is... > > ipfw add allow ip from wife to me > ipfw add allow ip from me to wife > ipfw add prob 0.2 allow tcp from girlfriends talk to wife talk > ipfw add reset tcp from girlfriends talk to wife talk > ipfw add allow tcp from wife to { coworkers or girlfriends } talk,handshake,email,icq > ipfw add allow tcp from { coworkers or girlfriends } to wife talk,handshake,email,icq > ipfw add allow tcp from father talk to me talk > ipfw add allow tcp from me talk to father talk > ipfw add prob 0.2 allow tcp from me 6-11 to girlfriends > ipfw add prob 0.2 allow tcp from girlfriends to me 6-11 > ipfw add reset log ip from wife to any > ipfw add reset log ip from any to wife > > what does it mean ? > That you have a too loose ruleset when it comes to GirlfriendsF<->Wife, Wife must be able to communcate with any and this should have been stateful! Obtw: Co-workers<->Wife might be virtualized so that Overtime is achieved at your own discretion. :D -- Sten Daniel Sørsdal From owner-freebsd-ipfw@FreeBSD.ORG Mon May 30 11:01:56 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 828A316A41C for ; Mon, 30 May 2005 11:01:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4874D43D53 for ; Mon, 30 May 2005 11:01:56 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4UB1tiq029993 for ; Mon, 30 May 2005 11:01:55 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4UB1sIp029987 for freebsd-ipfw@freebsd.org; Mon, 30 May 2005 11:01:54 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 30 May 2005 11:01:54 GMT Message-Id: <200505301101.j4UB1sIp029987@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2005 11:01:56 -0000 Current FreeBSD problem reports Critical problems Serious problems Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2004/10/29] kern/73276 ipfw ipfw2 vulnerability (parser error) o [2005/02/01] kern/76971 ipfw ipfw antispoof incorrectly blocks broadca 2 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 30 11:02:37 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6763116A41C for ; Mon, 30 May 2005 11:02:37 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41FF043D53 for ; Mon, 30 May 2005 11:02:37 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4UB2b9e030536 for ; Mon, 30 May 2005 11:02:37 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4UB2aQN030530 for ipfw@freebsd.org; Mon, 30 May 2005 11:02:36 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 30 May 2005 11:02:36 GMT Message-Id: <200505301102.j4UB2aQN030530@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2005 11:02:37 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon May 30 13:30:35 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9873416A41C for ; Mon, 30 May 2005 13:30:35 +0000 (GMT) (envelope-from igorpopov@newmail.ru) Received: from flock1.newmail.ru (flock1.newmail.ru [212.48.140.157]) by mx1.FreeBSD.org (Postfix) with SMTP id 8A08143D4C for ; Mon, 30 May 2005 13:30:34 +0000 (GMT) (envelope-from igorpopov@newmail.ru) Received: (qmail 1891 invoked from network); 30 May 2005 13:30:03 -0000 Received: from unknown (HELO moon) (igorpopov.newmail.ru@80.250.66.38) by smtpd.newmail.ru with SMTP; 30 May 2005 13:30:03 -0000 From: Igor Popov Organization: Home To: ipfw@freebsd.org Date: Mon, 30 May 2005 16:30:19 +0300 User-Agent: KMail/1.7.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200505301630.21484.igorpopov@newmail.ru> Cc: Subject: question concerned with dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2005 13:30:35 -0000 Hi all, I have a question concerned with dynamic rules, say I have such rules: ipfw check-state ipfw allow udp from me to any out keep-state if ttl of my packet will be zero on some router in path, it sends me icmp error message ttl exceeded. Does last rule create dynamic rule that permit icmp error message? My experience with traceroute shows that a such rule is not created. But with such rules: ipfw check-state ipfw allow udp from me to any out keep-state ipfw allow icmp from any to me icmptype 3,4,11,12 in traceroute works. -- The truth is what is; what should be is a dirty lie. -- Lenny Bruce From owner-freebsd-ipfw@FreeBSD.ORG Mon May 30 14:19:33 2005 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D8A216A41C for ; Mon, 30 May 2005 14:19:33 +0000 (GMT) (envelope-from orly@kac.cnri.dit.ie) Received: from kac.cnri.dit.ie (kac.cnri.dit.ie [147.252.67.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECE0943D1F for ; Mon, 30 May 2005 14:19:32 +0000 (GMT) (envelope-from orly@kac.cnri.dit.ie) Received: from kac.cnri.dit.ie (localhost.cnri.dit.ie [127.0.0.1]) by kac.cnri.dit.ie (8.12.10/8.12.9) with ESMTP id j4UEJUtk075482; Mon, 30 May 2005 15:19:30 +0100 (IST) (envelope-from orly@kac.cnri.dit.ie) Received: (from orly@localhost) by kac.cnri.dit.ie (8.12.10/8.12.4/Submit) id j4UEJUuK075481; Mon, 30 May 2005 15:19:30 +0100 (IST) Date: Mon, 30 May 2005 15:19:30 +0100 From: Orla McGann To: Igor Popov Message-ID: <20050530151930.G50686@kac.cnri.dit.ie> References: <200505301630.21484.igorpopov@newmail.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200505301630.21484.igorpopov@newmail.ru> User-Agent: Mutt/1.3.22.1i Cc: ipfw@freebsd.org Subject: Re: question concerned with dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 May 2005 14:19:33 -0000 On Mon, May 30, 2005 at 04:30:19PM +0300, Igor Popov wrote: > Hi all, > I have a question concerned with dynamic rules, say I have such rules: > ipfw check-state > ipfw allow udp from me to any out keep-state > > if ttl of my packet will be zero on some router in path, it sends me icmp > error message ttl exceeded. Does last rule create dynamic rule that permit > icmp error message? My experience with traceroute shows that a such rule is > not created. > > But with such rules: > ipfw check-state > ipfw allow udp from me to any out keep-state > ipfw allow icmp from any to me icmptype 3,4,11,12 in > traceroute works. I don't think IPFW2 has the "related" and "reply" functionality that exists in Netfilter; where packets related to a dynamic connection are also passed through the filter, such as icmp packets. So you need to explicitly add rules allowing these icmptypes. Regards, Orla -- Give a man a fish; you have fed him for today. Teach a man to use the Net and he won't bother you for weeks. From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 1 08:11:38 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D12FA16A41C for ; Wed, 1 Jun 2005 08:11:38 +0000 (GMT) (envelope-from freebsd@top-consulting.net) Received: from cust02.top-consulting.net (cust02.top-consulting.net [69.28.212.222]) by mx1.FreeBSD.org (Postfix) with SMTP id 6C07A43D49 for ; Wed, 1 Jun 2005 08:11:38 +0000 (GMT) (envelope-from freebsd@top-consulting.net) Received: (qmail 71631 invoked by uid 89); 1 Jun 2005 07:58:28 -0000 Received: from unknown (HELO GSPOT) (193.226.85.204) by cust02.top-consulting.net with SMTP; 1 Jun 2005 07:58:28 -0000 From: "George Breahna" To: Date: Wed, 1 Jun 2005 11:11:41 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcVmgYqfOFDUaDWlTGK2x7YrQYcDBQ== Message-Id: <20050601081138.6C07A43D49@mx1.FreeBSD.org> Subject: Bridging and IPFW X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 08:11:39 -0000 Hey guys, hope I posted this to the right list! I recently installed version 5.4 on a computer that acts as a gateway/firewall/bridge for a LAN. There are 30 or so computers sitting behind interface rl1 which has no IP address assigned. rl1 is bridged to rl0 which is the external interface and which has all the proper IP's assigned. The bridge is functioning perfectly but the problem comes when I try to filter - using ipfw - by MAC address. Here are the relevant sysctl variables ( hope I set them all! ) net.link.ether.bridge.enable: 1 net.link.ether.bridge.config: rl0:0,rl1:0 net.link.ether.bridge_ipfw: 1 net.link.ether.ipfw: 1 According to what I have read, using ipfw2 I should now be able to properly filter by MAC address..so I wrote up some rules! $IPFW 10 add allow ip from any to any MAC any 00:0E:A6:02:4D:A4 $IPFW 10 add allow ip from any to any MAC 00:0E:A6:02:4D:A4 any The problem is that I am getting hits on only ONE of these rules and that's the first one. Nothing hits the second one! In total I have 3 rules - these two and the last one which is allow ip from any to any So it looks like this: 00010 142169 205532194 allow ip from any to any MAC any 00:0e:a6:02:4d:a4 00010 0 0 allow ip from any to any MAC 00:0e:a6:02:4d:a4 any 65535 194369376 164135836653 allow ip from any to any I have tried adding various other options, like in via rl1, out via rl1, bridged, etc to no avail. Second rule isn't hit by anything! Theoretically, it should be - if I add rule #20 that says deny ip from any to any, my computer can no longer pass through the gateway although my MAC is listed in rule #10. I really am at a loss of ideas as to what might be causing this, especially since I already did this one and it worked fine on 4.10. Any input would be appreciated. Thanks! Georg From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 1 13:08:03 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC2AE16A41C for ; Wed, 1 Jun 2005 13:08:03 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54E7D43D54 for ; Wed, 1 Jun 2005 13:08:03 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3D6FD.dip.t-dialin.net [84.163.214.253] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0ML2Dk-1DdSwz0z2H-0005Rk; Wed, 01 Jun 2005 15:08:01 +0200 From: Max Laier To: freebsd-ipfw@freebsd.org Date: Wed, 1 Jun 2005 15:07:53 +0200 User-Agent: KMail/1.8 References: <200505251634.34478.max@love2party.net> In-Reply-To: <200505251634.34478.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart4716443.YtNzRs2aSn"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200506011507.59379.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Subject: Re: [PATCH] ipv4 only rules (test and feedback) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 13:08:04 -0000 --nextPart4716443.YtNzRs2aSn Content-Type: multipart/mixed; boundary="Boundary-01=_qMbnCUmmCanDYmh" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_qMbnCUmmCanDYmh Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Updated patch attached, please see below for details. I plan to commit this very soon now, so please test and scream *now* if=20 anything breaks! On Wednesday 25 May 2005 16:34, Max Laier wrote: > All, > > with the recent merge of IPv6 functionality into ipfw2, ip6fw is obsolete= =2E=20 > As the latter is neither locked nor using the pfil_hooks API, it was > decided that it should be be removed. Of course, this means that ipfw2 h= as > to provide all the functionality that ip6fw provided before. > > In order to achieve this, there is one feature missing [for all I know, > please scream now if you have anything else]: IPv4 only rules. Previousl= y, > it was possible to do: > > ipfw add 100 deny all from any to any > > to block all IPv4 traffic. With IPv6 incooperated into ipfw2 this does no > longer work as it will block IPv6 traffic as well. With the patch attach= ed > you can now do: > > ipfw add 100 deny ipv4 from any to any > or > ipfw add 100 deny ipv6 from any to any > > to block IPv4 or IPv6. > > If you are running a IPv6/IPv4 host/gateway/firewall on current, please > test the patch and send you feedback. Be sure to have kernel and userland > in sync! =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-01=_qMbnCUmmCanDYmh Content-Type: text/x-diff; charset="iso-8859-6"; name="ipv4-only.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipv4-only.patch" Index: sbin/ipfw/ipfw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.74 diff -u -r1.74 ipfw2.c =2D-- sbin/ipfw/ipfw2.c 21 May 2005 03:27:33 -0000 1.74 +++ sbin/ipfw/ipfw2.c 27 May 2005 17:37:26 -0000 @@ -275,6 +275,8 @@ TOK_EXT6HDR, TOK_DSTIP6, TOK_SRCIP6, + + TOK_IPV4, }; =20 struct _s_x dummynet_params[] =3D { @@ -395,6 +397,8 @@ { "flow-id", TOK_FLOWID}, { "ipv6", TOK_IPV6}, { "ip6", TOK_IPV6}, + { "ipv4", TOK_IPV4}, + { "ip4", TOK_IPV4}, { "dst-ipv6", TOK_DSTIP6}, { "dst-ip6", TOK_DSTIP6}, { "src-ipv6", TOK_SRCIP6}, @@ -1260,6 +1264,7 @@ #define HAVE_DSTIP 0x0004 #define HAVE_MAC 0x0008 #define HAVE_MACTYPE 0x0010 +#define HAVE_PROTO4 0x0040 #define HAVE_PROTO6 0x0080 #define HAVE_OPTIONS 0x8000 =20 @@ -1283,11 +1288,14 @@ return; } if ( !(*flags & HAVE_OPTIONS)) { =2D /* XXX BED: !(*flags & HAVE_PROTO) in patch */ =2D if ( !(*flags & HAVE_PROTO6) && (want & HAVE_PROTO6)) =2D printf(" ipv6"); if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO)) =2D printf(" ip"); + if ( (*flags & HAVE_PROTO4)) + printf(" ip4"); + else if ( (*flags & HAVE_PROTO6)) + printf(" ip6"); + else + printf(" ip"); + if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP)) printf(" from any"); if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP)) @@ -1468,9 +1476,23 @@ /* * then print the body. */ + for (l =3D rule->act_ofs, cmd =3D rule->cmd ; + l > 0 ; l -=3D F_LEN(cmd) , cmd +=3D F_LEN(cmd)) { + if ((cmd->len & F_OR) || (cmd->len & F_NOT)) + continue; + if (cmd->opcode =3D=3D O_IP4) { + flags |=3D HAVE_PROTO4; + break; + } else if (cmd->opcode =3D=3D O_IP6) { + flags |=3D HAVE_PROTO6; + break; + } =09 + } if (rule->_pad & 1) { /* empty rules before options */ =2D if (!do_compact) =2D printf(" ip from any to any"); + if (!do_compact) { + show_prerequisites(&flags, HAVE_PROTO, 0); + printf(" from any to any"); + } flags |=3D HAVE_IP | HAVE_OPTIONS; } =20 @@ -1600,6 +1622,10 @@ printf(" not"); proto =3D cmd->arg1; pe =3D getprotobynumber(cmd->arg1); + if ((flags & (HAVE_PROTO4 | HAVE_PROTO6)) && + !(flags & HAVE_PROTO)) + show_prerequisites(&flags, + HAVE_IP | HAVE_OPTIONS, 0); if (flags & HAVE_OPTIONS) printf(" proto"); if (pe) @@ -1611,6 +1637,12 @@ break; =20 default: /*options ... */ + if (!(cmd->len & (F_OR|F_NOT))) + if (((cmd->opcode =3D=3D O_IP6) && + (flags & HAVE_PROTO6)) || + ((cmd->opcode =3D=3D O_IP4) && + (flags & HAVE_PROTO4))) + break; show_prerequisites(&flags, HAVE_IP | HAVE_OPTIONS, 0); if ((cmd->len & F_OR) && !or_block) printf(" {"); @@ -1810,10 +1842,14 @@ } break; =20 =2D case O_IP6: =20 + case O_IP6: printf(" ipv6"); break; =20 + case O_IP4: + printf(" ipv4"); + break; + case O_ICMP6TYPE: print_icmp6types((ipfw_insn_u32 *)cmd); break; @@ -3506,13 +3542,18 @@ *proto =3D IPPROTO_IP; =20 if (_substrcmp(av, "all") =3D=3D 0) =2D ; /* same as "ip" */ =2D else if ((*proto =3D atoi(av)) > 0) + ; /* do not set O_IP4 nor O_IP6 */ + else if (strcmp(av, "ipv4") =3D=3D 0 || strcmp(av, "ip4") =3D=3D 0) + /* explicit "just IPv4" rule */ + fill_cmd(cmd, O_IP4, 0, 0); + else if (strcmp(av, "ipv6") =3D=3D 0 || strcmp(av, "ip6") =3D=3D 0) { + /* explicit "just IPv6" rule */ + *proto =3D IPPROTO_IPV6; + fill_cmd(cmd, O_IP6, 0, 0); + } else if ((*proto =3D atoi(av)) > 0) ; /* all done! */ else if ((pe =3D getprotobyname(av)) !=3D NULL) *proto =3D pe->p_proto; =2D else if (strcmp(av, "ipv6") =3D=3D 0 || strcmp(av, "ip6") =3D=3D 0) =2D *proto =3D IPPROTO_IPV6; else return NULL; if (*proto !=3D IPPROTO_IP && *proto !=3D IPPROTO_IPV6) @@ -4347,8 +4388,6 @@ case TOK_PROTO: NEED1("missing protocol"); if (add_proto(cmd, *av, &proto)) { =2D if (proto =3D=3D IPPROTO_IPV6) =2D fill_cmd(cmd, O_IP6, 0, 0); ac--; av++; } else errx(EX_DATAERR, "invalid protocol ``%s''", @@ -4435,6 +4474,10 @@ fill_cmd(cmd, O_IP6, 0, 0); break; =20 + case TOK_IPV4: + fill_cmd(cmd, O_IP4, 0, 0); + break; + case TOK_EXT6HDR: fill_ext6hdr( cmd, *av ); ac--; av++; Index: sys/netinet/ip_fw.h =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.99 diff -u -r1.99 ip_fw.h =2D-- sys/netinet/ip_fw.h 4 May 2005 13:12:52 -0000 1.99 +++ sys/netinet/ip_fw.h 19 May 2005 00:30:39 -0000 @@ -153,6 +153,8 @@ O_NETGRAPH, /* send to ng_ipfw */ O_NGTEE, /* copy to ng_ipfw */ =20 + O_IP4, + O_LAST_OPCODE /* not an opcode! */ }; =20 Index: sys/netinet/ip_fw2.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/store/mlaier/fcvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.97 diff -u -r1.97 ip_fw2.c =2D-- sys/netinet/ip_fw2.c 4 May 2005 13:12:52 -0000 1.97 +++ sys/netinet/ip_fw2.c 19 May 2005 00:32:55 -0000 @@ -1961,6 +1961,7 @@ int is_ipv6 =3D 0; u_int16_t ext_hd =3D 0; /* bits vector for extension header filtering */ /* end of ipv6 variables */ + int is_ipv4 =3D 0; =20 if (m->m_flags & M_SKIP_FIREWALL) return (IP_FW_PASS); /* accept */ @@ -2071,6 +2072,7 @@ } else if (pktlen >=3D sizeof(struct ip) && (args->eh =3D=3D NULL || ntohs(args->eh->ether_type) =3D=3D ETHERTYPE= _IP) && mtod(m, struct ip *)->ip_v =3D=3D 4) { + is_ipv4 =3D 1; ip =3D mtod(m, struct ip *); hlen =3D ip->ip_hl << 2; args->f_id.addr_type =3D 4; @@ -2672,6 +2674,10 @@ break; #endif =20 + case O_IP4: + match =3D is_ipv4; + break; + /* * The second set of opcodes represents 'actions', * i.e. the terminal part of a rule once the packet @@ -3317,6 +3323,7 @@ case O_IP6_DST_ME: case O_EXT_HDR: case O_IP6: + case O_IP4: if (cmdlen !=3D F_INSN_SIZE(ipfw_insn)) goto bad_size; break; --Boundary-01=_qMbnCUmmCanDYmh-- --nextPart4716443.YtNzRs2aSn Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBCnbMvXyyEoT62BG0RAgH9AJ4m0dKoY2XcesW3XMehO9BiZZc63QCdHkDg A4Dm3R3Z6U6ygirMLkLQItU= =0d7V -----END PGP SIGNATURE----- --nextPart4716443.YtNzRs2aSn-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 2 00:01:26 2005 Return-Path: X-Original-To: ipfw@FreeBSD.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0501B16A41C for ; Thu, 2 Jun 2005 00:01:25 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.3/8.13.1) with ESMTP id j5201PJY029907 for ; Wed, 1 Jun 2005 20:01:25 -0400 (EDT) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.3/8.13.1/Submit) id j5201PCD029906 for ipfw@FreeBSD.org; Wed, 1 Jun 2005 20:01:25 -0400 (EDT) (envelope-from green) Date: Wed, 1 Jun 2005 20:01:25 -0400 From: Brian Fundakowski Feldman To: ipfw@FreeBSD.org Message-ID: <20050602000125.GF975@green.homeunix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i Cc: Subject: dynamic rule deadlock X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jun 2005 00:01:26 -0000 This is a pretty easy one to diagnose. In FreeBSD 5.x+, there are network interface locks that the ifnet::if_start() routines grab and the IPFW dynamic rule lock that IPFW grabs. When IPFW periodically runs its dynamic rule keepalive event, it tries to grab the locks in the order: IPFW dynamic rule lock, ifnet lock. This is the wrong order, and in my 5.4-STABLE IPFW+if_bridge(4)+ALTQ configuration, leads to a full system deadlock. The solution I have is pretty simple, but I have not actually tested what was there before against WITNESS to see exactly what it had to say since I was more interested in fixing this in my production environment. If interested, I can easily help set up a test environment for this. Here are the changes, which are, I believe, a complete fix. I don't particularly love the style and feel that could probably stand improvement. Index: ip_fw2.c =================================================================== RCS file: /export/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.70.2.11 diff -u -r1.70.2.11 ip_fw2.c --- ip_fw2.c 12 May 2005 15:11:30 -0000 1.70.2.11 +++ ip_fw2.c 1 Jun 2005 20:54:56 -0000 @@ -1237,12 +1237,12 @@ } /* - * Transmit a TCP packet, containing either a RST or a keepalive. + * Generate a TCP packet, containing either a RST or a keepalive. * When flags & TH_RST, we are sending a RST packet, because of a * "reset" action matched the packet. * Otherwise we are sending a keepalive, and flags & TH_ */ -static void +static struct mbuf * send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags) { struct mbuf *m; @@ -1251,7 +1251,7 @@ MGETHDR(m, M_DONTWAIT, MT_HEADER); if (m == 0) - return; + return (NULL); m->m_pkthdr.rcvif = (struct ifnet *)0; m->m_pkthdr.len = m->m_len = sizeof(struct ip) + sizeof(struct tcphdr); m->m_data += max_linkhdr; @@ -1314,7 +1314,7 @@ ip->ip_ttl = ip_defttl; ip->ip_len = m->m_pkthdr.len; m->m_flags |= M_SKIP_FIREWALL; - ip_output(m, NULL, NULL, 0, NULL, NULL); + return (m); } /* @@ -1335,10 +1335,14 @@ } else if (offset == 0 && args->f_id.proto == IPPROTO_TCP) { struct tcphdr *const tcp = L3HDR(struct tcphdr, mtod(args->m, struct ip *)); - if ( (tcp->th_flags & TH_RST) == 0) - send_pkt(&(args->f_id), ntohl(tcp->th_seq), + if ( (tcp->th_flags & TH_RST) == 0) { + struct mbuf *m; + m = send_pkt(&(args->f_id), ntohl(tcp->th_seq), ntohl(tcp->th_ack), tcp->th_flags | TH_RST); + if (m != NULL) + ip_output(m, NULL, NULL, 0, NULL, NULL); + } m_freem(args->m); } else m_freem(args->m); @@ -3476,12 +3480,20 @@ static void ipfw_tick(void * __unused unused) { + struct mbuf *m0, *m, *mn; int i; ipfw_dyn_rule *q; if (dyn_keepalive == 0 || ipfw_dyn_v == NULL || dyn_count == 0) goto done; + /* + * We make a chain of packets to go out here -- not deferring + * until after we drop the IPFW dynamic rule lock would result + * in a lock order reversal with the normal packet input -> ipfw + * call stack. + */ + m0 = m = NULL; IPFW_DYN_LOCK(); for (i = 0 ; i < curr_dyn_buckets ; i++) { for (q = ipfw_dyn_v[i] ; q ; q = q->next ) { @@ -3497,11 +3509,33 @@ if (TIME_LEQ(q->expire, time_second)) continue; /* too late, rule expired */ - send_pkt(&(q->id), q->ack_rev - 1, q->ack_fwd, TH_SYN); - send_pkt(&(q->id), q->ack_fwd - 1, q->ack_rev, 0); + mn = send_pkt(&(q->id), q->ack_rev - 1, q->ack_fwd, + TH_SYN); + if (mn != NULL) { + if (m0 == NULL) { + m0 = m = mn; + } else { + m->m_nextpkt = mn; + m = mn; + } + } + mn = send_pkt(&(q->id), q->ack_fwd - 1, q->ack_rev, 0); + if (mn != NULL) { + if (m0 == NULL) { + m0 = m = mn; + } else { + m->m_nextpkt = mn; + m = mn; + } + } } } IPFW_DYN_UNLOCK(); + for (m = mn = m0; m != NULL; m = mn) { + mn = m->m_nextpkt; + m->m_nextpkt = NULL; + ip_output(m, NULL, NULL, 0, NULL, NULL); + } done: callout_reset(&ipfw_timeout, dyn_keepalive_period*hz, ipfw_tick, NULL); } -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\ From owner-freebsd-ipfw@FreeBSD.ORG Fri Jun 3 20:44:23 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C898516A41C; Fri, 3 Jun 2005 20:44:23 +0000 (GMT) (envelope-from sferreira@comcast.net) Received: from sccrmhc11.comcast.net (sccrmhc11.comcast.net [204.127.202.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B92C43D49; Fri, 3 Jun 2005 20:44:23 +0000 (GMT) (envelope-from sferreira@comcast.net) Received: from 204.127.205.150 ([204.127.205.150]) by comcast.net (sccrmhc11) with SMTP id <2005060320442201100moq08e>; Fri, 3 Jun 2005 20:44:22 +0000 Received: from [65.213.86.84] by 204.127.205.150; Fri, 03 Jun 2005 20:44:21 +0000 From: sferreira@comcast.net To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Date: Fri, 03 Jun 2005 20:44:21 +0000 Message-Id: <060320052044.5672.42A0C125000B8BF30000162822007511500E9D070A9D9D0A009C@comcast.net> X-Mailer: AT&T Message Center Version 1 (Dec 17 2004) X-Authenticated-Sender: c2ZlcnJlaXJhQGNvbWNhc3QubmV0 Cc: Subject: FREEBSD between two trunks X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jun 2005 20:44:23 -0000 I'm trying to setup DUMMYNET to emulate long delays, such as those encountered in satellite links. The problem is that I have to place my freebsd host between two trunks passing vlans (2,3,4,5,6). So the setup is: cisco swictch trunks vlan 2,3,4,5,6 <-> freebsd <--> cisco switch trunks vlan 2,3,4,5,6 All the documents I could find related to this subject matter has the freebsd as an endpoint and not connecting two trunks. Also the freebsd has to be an invisible hop on the network, so it can not route this traffic. I had setup my freebsd in bridge mode but I could not get this setup to work. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jun 4 18:14:57 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A58E416A420; Sat, 4 Jun 2005 18:14:57 +0000 (GMT) (envelope-from jmg@hydrogen.funkthat.com) Received: from hydrogen.funkthat.com (gate.funkthat.com [69.17.45.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2619D43D48; Sat, 4 Jun 2005 18:14:57 +0000 (GMT) (envelope-from jmg@hydrogen.funkthat.com) Received: from hydrogen.funkthat.com (localhost.funkthat.com [127.0.0.1]) by hydrogen.funkthat.com (8.13.3/8.13.3) with ESMTP id j54IEu9V000796; Sat, 4 Jun 2005 11:14:56 -0700 (PDT) (envelope-from jmg@hydrogen.funkthat.com) Received: (from jmg@localhost) by hydrogen.funkthat.com (8.13.3/8.13.3/Submit) id j54IEt58000795; Sat, 4 Jun 2005 11:14:55 -0700 (PDT) (envelope-from jmg) Date: Sat, 4 Jun 2005 11:14:55 -0700 From: John-Mark Gurney To: sferreira@comcast.net Message-ID: <20050604181455.GA730@funkthat.com> Mail-Followup-To: sferreira@comcast.net, freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org References: <060320052044.5672.42A0C125000B8BF30000162822007511500E9D070A9D9D0A009C@comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <060320052044.5672.42A0C125000B8BF30000162822007511500E9D070A9D9D0A009C@comcast.net> User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD 5.4-RELEASE i386 X-PGP-Fingerprint: B7 EC EF F8 AE ED A7 31 96 7A 22 B3 D8 56 36 F4 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html Cc: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: FREEBSD between two trunks X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: John-Mark Gurney List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Jun 2005 18:14:57 -0000 sferreira@comcast.net wrote this message on Fri, Jun 03, 2005 at 20:44 +0000: > I'm trying to setup DUMMYNET to emulate long delays, such as those encountered in satellite links. The problem is that I have to place my freebsd host between two trunks passing vlans (2,3,4,5,6). > > So the setup is: > > cisco swictch trunks vlan 2,3,4,5,6 <-> freebsd <--> cisco switch trunks vlan 2,3,4,5,6 > > > All the documents I could find related to this subject matter has the freebsd as an endpoint and not connecting two trunks. Also the freebsd has to be an invisible hop on the network, so it can not route this traffic. I had setup my freebsd in bridge mode but I could not get this setup to work. You may need to increase your mtu to allow the full sized packets to pass through... or you could setup a vlan w/ and id that isn't used and let that adjust the mtu for you.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."