From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 6 08:53:34 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E099B16A421 for ; Mon, 6 Aug 2007 08:53:34 +0000 (UTC) (envelope-from pekkas@netcore.fi) Received: from netcore.fi (eunet-gw.ipv6.netcore.fi [IPv6:2001:670:86:3001::1]) by mx1.freebsd.org (Postfix) with ESMTP id 171E813C4B3 for ; Mon, 6 Aug 2007 08:53:33 +0000 (UTC) (envelope-from pekkas@netcore.fi) Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id l768rLwK028862 for ; Mon, 6 Aug 2007 11:53:21 +0300 Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id l768rLkt028859 for ; Mon, 6 Aug 2007 11:53:21 +0300 Date: Mon, 6 Aug 2007 11:53:21 +0300 (EEST) From: Pekka Savola To: freebsd-ipfw@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV 0.90.3/3866/Sun Aug 5 22:20:48 2007 on otso.netcore.fi X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.1.9 X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on otso.netcore.fi Subject: bug in 'ipfw: pullup failed' w/ ipv6-nonxt ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2007 08:53:35 -0000 Hi, Recently on FreeBSD-6.2 STABLE I've noticed over 100x increase of 'ipfw: pullup failed' messages. This coincides with me starting to run a Teredo relay which includes receiving pretty much arbitrary IPv6 packets from the network. This appears to trigger a problem in sys/netinet/ip_fw2.c code with a packet like: 11:35:48.327605 IP6 (hlim 255, next-header: unknown (59), length: 0) 2001:0:4136:xxxx:yyyy:zzzz:wwww:vvvv > fe80::fc31:b43b:679c:dcb9: no next header now, the code in ip_fw2.c appears to be: case IPPROTO_NONE: /* RFC 2460 */ PULLUP_TO(hlen, ulp, struct ip6_ext); /* Packet ends here. if ip6e_len!=0 octets * must be ignored. */ break; .. but struct ip6_ext is at least 2 bytes long. Am I reading the code correctly that it expects that even with IPPROTO_NONE, the IP header needs to include at least 2 bytes of content. This would probably be a bug, and instead of printing "pullup failed" it shouldn't try to pull more than the base IPv6 header. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 6 11:08:23 2007 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BB0E16A417 for ; Mon, 6 Aug 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5C8BE13C428 for ; Mon, 6 Aug 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l76B8NVc029898 for ; Mon, 6 Aug 2007 11:08:23 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l76B8MqW029894 for freebsd-ipfw@FreeBSD.org; Mon, 6 Aug 2007 11:08:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Aug 2007 11:08:22 GMT Message-Id: <200708061108.l76B8MqW029894@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2007 11:08:23 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti 13 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form 25 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Aug 6 16:31:10 2007 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2ED7816A418 for ; Mon, 6 Aug 2007 16:31:10 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.231]) by mx1.freebsd.org (Postfix) with ESMTP id F0BB513C465 for ; Mon, 6 Aug 2007 16:31:09 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so450005nzf for ; Mon, 06 Aug 2007 09:31:09 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=tuIiMtLrBtpClv3lEbPfsCazkLtCNrrU6Yr6saqZKR9BfIrhKsBLoQqU3W8UN7EPdpMEXwHyrc+vV0sFo7/PVZhBj05VpMJJXCzFNvp/0j260rsWhRKANM+9aDy9n1K0Sg+pmrl6EwWPWI2NIM+MtibMVlBo+Uw+eg4wtLYcgtk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=EKlZvCSXwFegOy1jctb1blLyjtKWJ/TMhIoGQ49YpJqmpqdH93qsfKyY/iKx6hxk3PNzPFuS0HfxSgu6aaMnHiD4S0/UDW0cAIp5jBJoh1yMAi4jqrK46pW4/TPPXBWG/MDrw5mbchAhfzDYTHLPyE8o+TNAjSHX9CJlFLf7wVM= Received: by 10.64.193.2 with SMTP id q2mr9072109qbf.1186416325046; Mon, 06 Aug 2007 09:05:25 -0700 (PDT) Received: by 10.65.156.9 with HTTP; Mon, 6 Aug 2007 09:05:24 -0700 (PDT) Message-ID: Date: Mon, 6 Aug 2007 13:05:25 -0300 From: "Eduardo Meyer" To: ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: All I have is one packet! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2007 16:31:10 -0000 Hello ipfw users and hackers. I have tried, for many weeks, ng_tag to tag packets for ipfw filtering. I could make it work fine. However, I have one problem. I want to make a state that will match any packet, on any protocol, between the peers. Why? Because all I have, is one packet. And this packet however, wont always be in the same transport protocol. For example, I can identify session initialization on TCP packets, but once initialized, all communication between peers happen via UDP. I know such a thing dont exist in ipfw. However, I would like to know if someone can suggest changes to the code that would do this. Would also be great if I could have a sysctl OID to tune state-timing of this unusual behavior, differently from the existing sysctl mibs on "dyn" stuff on ipfw. Every suggestion on a feature like that, would be appreciated. -- =========== Eduardo Meyer pessoal: dudu.meyer@gmail.com profissional: ddm.farmaciap@saude.gov.br From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 7 08:39:22 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F114F16A418; Tue, 7 Aug 2007 08:39:22 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BEC7713C46E; Tue, 7 Aug 2007 08:39:22 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l778dMEb004229; Tue, 7 Aug 2007 08:39:22 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l778dMAP004225; Tue, 7 Aug 2007 08:39:22 GMT (envelope-from remko) Date: Tue, 7 Aug 2007 08:39:22 GMT Message-Id: <200708070839.l778dMAP004225@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/115261: [ipfw]: incorrect 'ipfw: pullup failed' with IPv6 no-next-header X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2007 08:39:23 -0000 Old Synopsis: incorrect 'ipfw: pullup failed' with IPv6 no-next-header New Synopsis: [ipfw]: incorrect 'ipfw: pullup failed' with IPv6 no-next-header Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Tue Aug 7 08:39:04 UTC 2007 Responsible-Changed-Why: Reassign to ipfw team. http://www.freebsd.org/cgi/query-pr.cgi?pr=115261 From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 7 13:12:49 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0771A16A41A for ; Tue, 7 Aug 2007 13:12:49 +0000 (UTC) (envelope-from pekkas@netcore.fi) Received: from netcore.fi (eunet-gw.ipv6.netcore.fi [IPv6:2001:670:86:3001::1]) by mx1.freebsd.org (Postfix) with ESMTP id 3B29413C442 for ; Tue, 7 Aug 2007 13:12:47 +0000 (UTC) (envelope-from pekkas@netcore.fi) Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id l77DCY1M002466 for ; Tue, 7 Aug 2007 16:12:34 +0300 Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id l77DCYa7002463 for ; Tue, 7 Aug 2007 16:12:34 +0300 Date: Tue, 7 Aug 2007 16:12:34 +0300 (EEST) From: Pekka Savola To: freebsd-ipfw@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV 0.90.3/3879/Tue Aug 7 03:27:49 2007 on otso.netcore.fi X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.1.9 X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on otso.netcore.fi Subject: ip6fw byte reporting error in v6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2007 13:12:49 -0000 Hi, Fiddling around with ipfw, I noticed that 'ip6fw -ta l', under byte reports, does not include the base IPv6 header in the length calculation (hmm.. I wonder how it would calculate the length of extension-header chained packet). IPv4 byte statistics, on the other hand, include the IPv4 header bytes. Is this a known problem? Is it a more general BSD kernel problem? -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 8 07:57:44 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1436916A41B for ; Wed, 8 Aug 2007 07:57:44 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp3.yandex.ru (smtp3.yandex.ru [213.180.200.14]) by mx1.freebsd.org (Postfix) with ESMTP id 57F8713C46C for ; Wed, 8 Aug 2007 07:57:43 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from ns.kirov.so-cdu.ru ([77.72.136.145]:53753 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S4747287AbXHHH5b (ORCPT ); Wed, 8 Aug 2007 11:57:31 +0400 X-Comment: RFC 2476 MSA function at smtp3.yandex.ru logged sender identity as: bu7cher Message-ID: <46B97769.4010203@yandex.ru> Date: Wed, 08 Aug 2007 11:57:29 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Pekka Savola References: In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ip6fw byte reporting error in v6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2007 07:57:44 -0000 Pekka Savola wrote: > Fiddling around with ipfw, I noticed that 'ip6fw -ta l', under byte > reports, does not include the base IPv6 header in the length calculation > (hmm.. I wonder how it would calculate the length of extension-header > chained packet). > > IPv4 byte statistics, on the other hand, include the IPv4 header bytes. > > Is this a known problem? Is it a more general BSD kernel problem? Probably, you should use ipfw(8) instead of ip6fw(8). ip6fw was removed and it's functional moved into ipfw(8). -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 8 09:04:11 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7843216A417 for ; Wed, 8 Aug 2007 09:04:11 +0000 (UTC) (envelope-from pekkas@netcore.fi) Received: from netcore.fi (eunet-gw.ipv6.netcore.fi [IPv6:2001:670:86:3001::1]) by mx1.freebsd.org (Postfix) with ESMTP id 9E86913C45E for ; Wed, 8 Aug 2007 09:04:10 +0000 (UTC) (envelope-from pekkas@netcore.fi) Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id l78947Rv032516; Wed, 8 Aug 2007 12:04:07 +0300 Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id l789477V032513; Wed, 8 Aug 2007 12:04:07 +0300 Date: Wed, 8 Aug 2007 12:04:07 +0300 (EEST) From: Pekka Savola To: "Andrey V. Elsukov" In-Reply-To: <46B97769.4010203@yandex.ru> Message-ID: References: <46B97769.4010203@yandex.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV 0.90.3/3891/Wed Aug 8 03:11:58 2007 on otso.netcore.fi X-Virus-Status: Clean X-Spam-Status: No, score=-3.5 required=5.0 tests=ALL_TRUSTED, AWL, BAYES_00 autolearn=ham version=3.1.9 X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on otso.netcore.fi Cc: freebsd-ipfw@freebsd.org Subject: Re: ip6fw byte reporting error in v6 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2007 09:04:11 -0000 On Wed, 8 Aug 2007, Andrey V. Elsukov wrote: > Pekka Savola wrote: >> Fiddling around with ipfw, I noticed that 'ip6fw -ta l', under byte >> reports, does not include the base IPv6 header in the length calculation >> (hmm.. I wonder how it would calculate the length of extension-header >> chained packet). >> >> IPv4 byte statistics, on the other hand, include the IPv4 header bytes. >> >> Is this a known problem? Is it a more general BSD kernel problem? > > Probably, you should use ipfw(8) instead of ip6fw(8). ip6fw was removed and > it's functional moved into ipfw(8). FWIW -- a rule generated by ipfw(8) counts the length correctly. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 8 23:16:37 2007 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC46916A478 for ; Wed, 8 Aug 2007 23:16:37 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.freebsd.org (Postfix) with ESMTP id 43FEE13C46B for ; Wed, 8 Aug 2007 23:16:37 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from localhost (localhost.localdomain [127.0.0.1]) by relay1.tpu.ru (Postfix) with ESMTP id 84A1B104F9E for ; Thu, 9 Aug 2007 05:50:47 +0700 (NOVST) X-Virus-Scanned: amavisd-new at tpu.ru Received: from relay1.tpu.ru ([127.0.0.1]) by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arz-+a7blI46 for ; Thu, 9 Aug 2007 05:50:45 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 6D1ED104F9F for ; Thu, 9 Aug 2007 05:50:45 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.3959); Thu, 9 Aug 2007 05:50:45 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 9 Aug 2007 05:50:45 +0700 Date: Thu, 09 Aug 2007 05:50:44 +0700 To: ipfw@freebsd.org References: From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 08 Aug 2007 22:50:45.0074 (UTC) FILETIME=[8E099B20:01C7DA0E] Cc: Subject: Re: All I have is one packet! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2007 23:16:37 -0000 06.08.07 @ 23:05 Eduardo Meyer wrote: > I have tried, for many weeks, ng_tag to tag packets for ipfw > filtering. I could make it work fine. However, I have one problem. I > want to make a state that will match any packet, on any protocol, > between the peers. Why? Because all I have, is one packet. And this > packet however, wont always be in the same transport protocol. > > For example, I can identify session initialization on TCP packets, but > once initialized, all communication between peers happen via UDP. > > I know such a thing dont exist in ipfw. However, I would like to know > if someone can suggest changes to the code that would do this. Would > also be great if I could have a sysctl OID to tune state-timing of > this unusual behavior, differently from the existing sysctl mibs on > "dyn" stuff on ipfw. > > Every suggestion on a feature like that, would be appreciated. Yes, dynamic rules in ipfw are not intended for supporting state created in the middle of the session, wuth the default sysctl settings it will be kept for 1 second (which, however, is enough for shaping of fast transfers). I think, precise controlling of dynamic rules from both userland and kernel should be added to ipfw, to modify existing rules on the fly (or even more features, like pfsync). As a hackish dirty workaround, may be it should be only one keyword, something like "keep-state-middle", to create normal dynamic rule without initial SYNs. But you've said about even more complex behaviour, like init on TCP, continue with UDP. That's difficult to implement in kernel, and may be even not suitable for ipfw. Currently (I think), you can try to emulate this behaviour by divert'ing tagged by ng_tag packet to userland program, like snort_inline (from ports collection) with needed scripting, which will trigger adding proper rules to firewall (you should also care about expiring that connection on SYNs and RSTs, though). -- WBR, Vadim Goncharov From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 10 07:21:31 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 23FDF16A418; Fri, 10 Aug 2007 07:21:31 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EF68413C49D; Fri, 10 Aug 2007 07:21:30 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7A7LUNX091198; Fri, 10 Aug 2007 07:21:30 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7A7LUZF091194; Fri, 10 Aug 2007 07:21:30 GMT (envelope-from remko) Date: Fri, 10 Aug 2007 07:21:30 GMT Message-Id: <200708100721.l7A7LUZF091194@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: bin/115372: [ipfw]: "ipfw show" prints ill result. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2007 07:21:31 -0000 Old Synopsis: "ipfw show" prints ill result. New Synopsis: [ipfw]: "ipfw show" prints ill result. Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Fri Aug 10 07:21:13 UTC 2007 Responsible-Changed-Why: Reassign to ipfw team. http://www.freebsd.org/cgi/query-pr.cgi?pr=115372 From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 10 08:10:11 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1738A16A421 for ; Fri, 10 Aug 2007 08:10:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0109513C46C for ; Fri, 10 Aug 2007 08:10:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7A8AAnV093705 for ; Fri, 10 Aug 2007 08:10:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7A8AAMF093704; Fri, 10 Aug 2007 08:10:10 GMT (envelope-from gnats) Date: Fri, 10 Aug 2007 08:10:10 GMT Message-Id: <200708100810.l7A8AAMF093704@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: "Andrey V. Elsukov" Cc: Subject: Re: bin/115372: [ipfw]: "ipfw show" prints ill result. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: "Andrey V. Elsukov" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2007 08:10:11 -0000 The following reply was made to PR bin/115372; it has been noted by GNATS. From: "Andrey V. Elsukov" To: bug-followup@FreeBSD.org, turutani@scphys.kyoto-u.ac.jp Cc: Maxim Konovalov , Oleg Bulyzhin Subject: Re: bin/115372: [ipfw]: "ipfw show" prints ill result. Date: Fri, 10 Aug 2007 11:50:02 +0400 This is a multi-part message in MIME format. --------------040106090808050103000507 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Hi, this bug was not introduced by mentioned commit. You can see this bug also with following rules: # ipfw add allow ip from any to any not ipid 1,2,3,4,5 # ipfw add allow ip from any to any not ipttl 1,2,3,4,5 # ipfw add allow ip from any to any not iplen 1,2,3,4,5 and "not tcpdatalen 1,2,3,4", "not tagged 1,2,3,4". Can you try this patch? -- WBR, Andrey V. Elsukov --------------040106090808050103000507 Content-Type: text/plain; name="ipfw2.c.diff.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw2.c.diff.txt" --- src/sbin/ipfw/ipfw2.c.orig 2007-06-18 21:52:37.000000000 +0400 +++ src/sbin/ipfw/ipfw2.c 2007-08-09 20:54:21.749670029 +0400 @@ -668,8 +668,6 @@ int i; char const *sep; - if (cmd->o.len & F_NOT) - printf(" not"); if (opcode != 0) { sep = match_value(_port_name, opcode); if (sep == NULL) @@ -1755,6 +1753,8 @@ show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0); if ((cmd->len & F_OR) && !or_block) printf(" {"); + if (cmd->len & F_NOT) + printf(" not"); print_newports((ipfw_insn_u16 *)cmd, proto, (flags & HAVE_OPTIONS) ? cmd->opcode : 0); break; --------------040106090808050103000507-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 10 09:50:09 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 307B616A41A for ; Fri, 10 Aug 2007 09:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1CD6713C442 for ; Fri, 10 Aug 2007 09:50:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l7A9o886000995 for ; Fri, 10 Aug 2007 09:50:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l7A9o8WP000994; Fri, 10 Aug 2007 09:50:08 GMT (envelope-from gnats) Date: Fri, 10 Aug 2007 09:50:08 GMT Message-Id: <200708100950.l7A9o8WP000994@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Tsurutani Naoki Cc: Subject: Re: bin/115372: [ipfw]: "ipfw show" prints ill result. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Tsurutani Naoki List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2007 09:50:09 -0000 The following reply was made to PR bin/115372; it has been noted by GNATS. From: Tsurutani Naoki To: bug-followup@FreeBSD.org, "Andrey V. Elsukov" Cc: Maxim Konovalov , Oleg Bulyzhin Subject: Re: bin/115372: [ipfw]: "ipfw show" prints ill result. Date: Fri, 10 Aug 2007 18:30:58 +0900 Hello, "Andrey V. Elsukov" wrote: > this bug was not introduced by mentioned commit. > You can see this bug also with following rules: > # ipfw add allow ip from any to any not ipid 1,2,3,4,5 > # ipfw add allow ip from any to any not ipttl 1,2,3,4,5 > # ipfw add allow ip from any to any not iplen 1,2,3,4,5 > and "not tcpdatalen 1,2,3,4", "not tagged 1,2,3,4". That's right. I tried some of above, and the previous version can produce duplicated "not". On my FreeBSD 6-STABLE host, the patch should be modified (only about line numbers), like following; @@ -632,8 +632,6 @@ int i; char const *sep; - if (cmd->o.len & F_NOT) - printf(" not"); if (opcode != 0) { sep = match_value(_port_name, opcode); if (sep == NULL) @@ -1715,6 +1713,8 @@ show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0); if ((cmd->len & F_OR) && !or_block) printf(" {"); + if (cmd->len & F_NOT) + printf(" not"); print_newports((ipfw_insn_u16 *)cmd, proto, (flags & HAVE_OPTIONS) ? cmd->opcode : 0); break; However, I do not know whether it is perfect or insufficient. Please fix as you think good. Thank you for your follow-up and patch.