From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 25 17:48:26 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2335110657D3; Sun, 25 Jul 2010 17:48:26 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 00B9F8FC12; Sun, 25 Jul 2010 17:48:26 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6PHmPts031005; Sun, 25 Jul 2010 17:48:25 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6PHmPOM031001; Sun, 25 Jul 2010 17:48:25 GMT (envelope-from linimon) Date: Sun, 25 Jul 2010 17:48:25 GMT Message-Id: <201007251748.o6PHmPOM031001@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/148928: [ipfw] Problem with loading of ipfw NAT rules during system startup X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Jul 2010 17:48:26 -0000 Old Synopsis: Problem with loading of ipfw NAT rules during system startup New Synopsis: [ipfw] Problem with loading of ipfw NAT rules during system startup Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sun Jul 25 17:48:11 UTC 2010 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=148928 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 26 07:05:39 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0D341065670 for ; Mon, 26 Jul 2010 07:05:39 +0000 (UTC) (envelope-from msurdi@tuenti.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 889748FC15 for ; Mon, 26 Jul 2010 07:05:38 +0000 (UTC) Received: by wwe15 with SMTP id 15so6127389wwe.31 for ; Mon, 26 Jul 2010 00:05:38 -0700 (PDT) Received: by 10.227.137.81 with SMTP id v17mr6891786wbt.10.1280126375312; Sun, 25 Jul 2010 23:39:35 -0700 (PDT) Received: from msurdi-laptop2.tuenti.local (177.3.16.95.dynamic.jazztel.es [95.16.3.177]) by mx.google.com with ESMTPS id w14sm1678616weq.33.2010.07.25.23.39.34 (version=SSLv3 cipher=RC4-MD5); Sun, 25 Jul 2010 23:39:34 -0700 (PDT) Message-ID: <4C4D2DA0.8030402@gmail.com> Date: Mon, 26 Jul 2010 08:39:28 +0200 From: Matias User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; es-ES; rv:1.9.1.11) Gecko/20100711 Thunderbird/3.0.6 MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: ipfw/dummynet in 8.1 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jul 2010 07:05:39 -0000 Hi, I've read in the release notes that ipfw and dummynet have been improved. I wonder if with 8.1 will it be possible to bridge a VLAN Trunk and filter VLAN tagged frames (actually, send packets to a dummynet queue for traffic shapping). I've tried this with 8.0 but seems like ipfw does not understand vlan tagged frames on a bridge between two ports connected to a trunk switch port (no traffic is being sent to the dummynet pipes when trying to match by IP address). Should this be possible to do? Thanks! From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 26 11:07:04 2010 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 334841065672 for ; Mon, 26 Jul 2010 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 27F998FC12 for ; Mon, 26 Jul 2010 11:07:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6QB74xP080709 for ; Mon, 26 Jul 2010 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6QB73NE080707 for freebsd-ipfw@FreeBSD.org; Mon, 26 Jul 2010 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Jul 2010 11:07:03 GMT Message-Id: <201007261107.o6QB73NE080707@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Jul 2010 11:07:04 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/148928 ipfw [ipfw] Problem with loading of ipfw NAT rules during s o kern/148885 ipfw [ipfw] [patch] ipfw netgraph ignores net.inet.ip.fw.on o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148429 ipfw net.inet.ip.dummynet.io_fast broken or documentation i o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o conf/148144 ipfw [patch] add ipfw_nat support for rc.firewall simple ty o conf/148137 ipfw [ipfw] call order of natd and ipfw startup scripts o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145733 ipfw [ipfw] [patch] ipfw flaws with ipv6 fragments o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/145167 ipfw [ipfw] ipfw nat does not follow its documentation o kern/144869 ipfw [ipfw] [panic] Instant kernel panic when adding NAT ru o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 81 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 27 14:27:08 2010 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F2831065674; Tue, 27 Jul 2010 14:27:08 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 655C18FC21; Tue, 27 Jul 2010 14:27:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o6RER8eJ028286; Tue, 27 Jul 2010 14:27:08 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o6RER8V9028282; Tue, 27 Jul 2010 14:27:08 GMT (envelope-from glebius) Date: Tue, 27 Jul 2010 14:27:08 GMT Message-Id: <201007271427.o6RER8V9028282@freefall.freebsd.org> To: nnd@mail.nsk.ru, glebius@FreeBSD.org, freebsd-ipfw@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/148885: [ipfw] [patch] ipfw netgraph ignores net.inet.ip.fw.one_pass X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jul 2010 14:27:08 -0000 Synopsis: [ipfw] [patch] ipfw netgraph ignores net.inet.ip.fw.one_pass State-Changed-From-To: open->patched State-Changed-By: glebius State-Changed-When: Tue Jul 27 14:26:36 UTC 2010 State-Changed-Why: Committed to head/. Thanks! Responsible-Changed-From-To: freebsd-ipfw->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Tue Jul 27 14:26:36 UTC 2010 Responsible-Changed-Why: I'll handle this. http://www.freebsd.org/cgi/query-pr.cgi?pr=148885 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 29 12:48:06 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20C0A106566B for ; Thu, 29 Jul 2010 12:48:06 +0000 (UTC) (envelope-from cosmic17@yandex.ru) Received: from forward15.mail.yandex.net (forward15.mail.yandex.net [95.108.130.119]) by mx1.freebsd.org (Postfix) with ESMTP id C6FD08FC0A for ; Thu, 29 Jul 2010 12:48:05 +0000 (UTC) Received: from web35.yandex.ru (web35.yandex.ru [213.180.223.11]) by forward15.mail.yandex.net (Yandex) with ESMTP id E78B844588D2 for ; Thu, 29 Jul 2010 16:48:03 +0400 (MSD) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1280407683; bh=imKaoC+WCoE+fWqR5oAnb6qTmRY8cDa+NwvEe22P+tE=; h=From:To:Subject:MIME-Version:Message-Id:Date: Content-Transfer-Encoding:Content-Type; b=di6KetCoXor2sZ+tW+wKEH0xNAMuI+OEWyS1BACXyYPrV/WVMDobp0Cc0MuBitgWn iFaVkA3v/rS5Fa018AAr1MUpA0C6V4+gVnRSMky/lLThZTu6lBH3XidcrSAbM/AlLf nNRYtztJ2lKoPZj2hwtQjteJX7TVbrGA+J+ckQUc= Received: from localhost (localhost.localdomain [127.0.0.1]) by web35.yandex.ru (Yandex) with ESMTP id E3C8628D008A for ; Thu, 29 Jul 2010 16:48:03 +0400 (MSD) X-Yandex-Spam: 1 X-Yandex-Front: web35.yandex.ru X-Yandex-TimeMark: 1280407683 Received: from 50.83.vltele.com (50.83.vltele.com [79.174.50.83]) by mail.yandex.ru with HTTP; Thu, 29 Jul 2010 16:48:02 +0400 From: Dmukha Nikolay To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Message-Id: <71291280407682@web35.yandex.ru> Date: Thu, 29 Jul 2010 16:48:02 +0400 X-Mailer: Yamail [ http://yandex.ru ] 5.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain Subject: ipfw3: Cannot allocate memory X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2010 12:48:06 -0000 Hello. There is some problem with ipfw3 from Luigi Rizzo. uname -a: FreeBSD test 8.0-STABLE-201005 FreeBSD 8.0-STABLE-201005 #0: Wed Jul 28 12:04:29 MSD 2010 root@test:/usr/src/sys/amd64/compile/MYKERNEL amd64 The rules in /etc/rc.firewall like: ... $IPFW pipe 11 config bw 1040Kbit/s mask dst-ip 0xffffffff $IPFW pipe 12 config bw 1040Kbit/s mask src-ip 0xffffffff ########pipe 11 $IPFW sched 11 config type QFQ mask dst-ip 0xffffff00 $IPFW queue 113 config sched 11 weight 4 $IPFW queue 114 config sched 11 weight 1 $IPFW add queue 113 ip from any to table\(10\) via igb0 out proto tcp src-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 113 ip from any to table\(10\) via igb0 out proto icmp $IPFW add queue 114 ip from any to table\(10\) via igb0 out $IPFW add queue 113 ip from any to table\(10\) via igb2 out proto tcp src-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 113 ip from any to table\(10\) via igb2 out proto icmp $IPFW add queue 114 ip from any to table\(10\) via igb2 out ########pipe 12 $IPFW sched 12 config type QFQ mask src-ip 0xffffff00 $IPFW queue 123 config sched 12 weight 4 $IPFW queue 124 config sched 12 weight 1 $$IPFW add queue 123 ip from table\(11\) to any via igb1 out proto tcp dst-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 123 ip from table\(11\) to any via igb1 out proto icmp $IPFW add queue 124 ip from table\(11\) to any via igb1 out $IPFW add queue 123 ip from table\(11\) to any via igb3 out proto tcp dst-port 5223, 2009, 2106, 3724, 6112, 6881-6999, 7777, 27000-27050, 42292 $IPFW add queue 123 ip from table\(11\) to any via igb3 out proto icmp $IPFW add queue 124 ip from table\(11\) to any via igb3 out ... Every morning script restart firewall at 6 o`clock. There was no any problems with it for a few months. But in the morning I saw messages below and firewall doesn`t work correctly: ... update_fs fs 111 for sch 11 not 20 still unlinked config_sched cannot allocate scheduler 65556 ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Cannot allocate memory .... And so on for all my schedulers and queues. I tried to restart ipfw by hand, but had no good results - the same messages. Firewall worked correctly after reboot the system. Do you know what is the problem with ipfw? Thanks.