From owner-freebsd-ipfw@freebsd.org Mon May 16 14:08:33 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 97E2CB3C246 for ; Mon, 16 May 2016 14:08:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 890471CBB for ; Mon, 16 May 2016 14:08:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4GE8XiU086874 for ; Mon, 16 May 2016 14:08:33 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ipfw@FreeBSD.org Subject: [Bug 208035] IPFW firewall heap overflow Date: Mon, 16 May 2016 14:08:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: ae@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 May 2016 14:08:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208035 Andrey V. Elsukov changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |melifaro@FreeBSD.org --- Comment #1 from Andrey V. Elsukov --- This code looks like left for compatibility with old binaries. Probably it = can be completely removed. --=20 You are receiving this mail because: You are the assignee for the bug.= From owner-freebsd-ipfw@freebsd.org Tue May 17 04:28:44 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7762FB3D6E0; Tue, 17 May 2016 04:28:44 +0000 (UTC) (envelope-from ralsaadi@swin.edu.au) Received: from iport1.cc.swin.edu.au (iport1.cc.swin.edu.au [136.186.0.49]) by mx1.freebsd.org (Postfix) with ESMTP id DE6661F16; Tue, 17 May 2016 04:28:43 +0000 (UTC) (envelope-from ralsaadi@swin.edu.au) X-IronPort-AV: E=Sophos;i="5.26,323,1459778400"; d="scan'208";a="20146830" Received: from gsp-ex03.ds.swin.edu.au (HELO outlook.swin.edu.au) ([136.186.126.19]) by iport1.cc.swin.edu.au with ESMTP; 17 May 2016 14:27:13 +1000 Received: from GSP-EX02.ds.swin.edu.au ([169.254.2.170]) by gsp-ex03.ds.swin.edu.au ([169.254.3.226]) with mapi id 14.03.0294.000; Tue, 17 May 2016 14:27:13 +1000 From: Rasool Al-Saadi To: "freebsd-ipfw@freebsd.org" , "freebsd-net@freebsd.org" CC: Grenville Armitage Subject: Dummynet AQM version 0.2.1 Thread-Topic: Dummynet AQM version 0.2.1 Thread-Index: AdGv897CivmqZIloTxKyQFJPzVJabg== Date: Tue, 17 May 2016 04:27:12 +0000 Message-ID: <6545444AE21C2749939E637E56594CEA3C234BC2@gsp-ex02.ds.swin.edu.au> Accept-Language: en-AU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [136.186.112.109] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2016 04:28:44 -0000 Dear All, I would like to announce that we released Dummynet AQM version 0.2.1 (CoDel= , FQ-CoDel, PIE and FQ-PIE). This version includes important bugs fixing. I= highly recommend to upgrade to this version. Project website: http://caia.swin.edu.au/freebsd/aqm/ Patches : http://caia.swin.edu.au/freebsd/aqm/downloads.html Documentation: http://caia.swin.edu.au/freebsd/aqm/papers.html Regards, Rasool Al-Saadi From owner-freebsd-ipfw@freebsd.org Tue May 17 08:06:20 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73F8EB3E2BA; Tue, 17 May 2016 08:06:20 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0DE1E10F8; Tue, 17 May 2016 08:06:20 +0000 (UTC) (envelope-from ndenev@gmail.com) Received: by mail-wm0-x22f.google.com with SMTP id n129so129032279wmn.1; Tue, 17 May 2016 01:06:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=8eOp7McQeIzyUWS/r6JgbzG5K1dCooOvUqLtQPaToX4=; b=JhLFCIefKDIaGMgjJOQsJubgiXmy0SFO1n1J4x1r1slZJb0fHLNuPniZ9Es7mi9RL4 pOwzNj5hc4VgrFZf/EYVL5W3xa1OPmZ29CNPuvmLH4mhww6QCEupRdUgR1Isp3CY2tr2 Hog+l+ItTP33qJDfJ7IsKC61CruCr8WqECWjzX6bOrav/CcIWGuCan0dV4/N9Xnu0hXJ DYI7jZCHUwNbIGxLRevjFWnNq+eGyCLI6Jugss1R6HyFFXENHqCcAEklHxwHq+CArcxi 82orYbCblEwiqAwuA2a1yOw8bP8VoaPRn+U4KSMpfSVByTBo81PGsQ1U2xZ3ipGdaMI2 wz/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=8eOp7McQeIzyUWS/r6JgbzG5K1dCooOvUqLtQPaToX4=; b=enWx57agjundcBr/JuSp96fVzTOpvH8qc9ySV0ZU3LTv5bqwtQfKe2HXnf5ekQZaEg 04dWvZwhyY3gwmhdjZwNx76O5A0go/d3hZwV6cKZ+IsM3WmPto9287i0r0/oQexCdawB Fg1tOLlZfZaJbBDacjxhzaVlypcqraYFPomy141hiknBzVAjmYHc/jLiG/boiTz3eIMG dRCPrKWpqhFuMvkPUKkYjaUXJumkSysy4cT46xipULY9aqGRjZwH6iqCs6eL7dbrqLaS 9eUbcLQ6GQ8/EYBoIXLm0735UPot426NR2FhTR7ZBjBPH1ePrbN9/tyM7+qRTaQ53HRF fm3g== X-Gm-Message-State: AOPr4FW1wb7NApRJS79QFrbDGBzfeZyKhJfgXhzei6QF6arL2ezJQuAc3VIuva+xwt37X3+GC5gfi/v1es4HpQ== MIME-Version: 1.0 X-Received: by 10.28.158.75 with SMTP id h72mr21415318wme.35.1463472378632; Tue, 17 May 2016 01:06:18 -0700 (PDT) Sender: ndenev@gmail.com Received: by 10.28.143.19 with HTTP; Tue, 17 May 2016 01:06:18 -0700 (PDT) In-Reply-To: <6545444AE21C2749939E637E56594CEA3C234BC2@gsp-ex02.ds.swin.edu.au> References: <6545444AE21C2749939E637E56594CEA3C234BC2@gsp-ex02.ds.swin.edu.au> Date: Tue, 17 May 2016 10:06:18 +0200 X-Google-Sender-Auth: jdXNDrB-AbXYyTJHvh4vurBBkxU Message-ID: Subject: Re: Dummynet AQM version 0.2.1 From: Nikolay Denev To: Rasool Al-Saadi Cc: "freebsd-ipfw@freebsd.org" , "freebsd-net@freebsd.org" , Grenville Armitage Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2016 08:06:20 -0000 Hi Rasool, Is the patch supposed to work if DUMMYNET is compiled in the kernel? I've applied it and rebuilt my kernel by I still see only FIFO, PRIQ, QFQ, RR and WF2Q+ in dmesg. Regards, --Nikolay On Tue, May 17, 2016 at 6:27 AM, Rasool Al-Saadi wrote: > Dear All, > > I would like to announce that we released Dummynet AQM version 0.2.1 (CoDel, FQ-CoDel, PIE and FQ-PIE). This version includes important bugs fixing. I highly recommend to upgrade to this version. > > Project website: http://caia.swin.edu.au/freebsd/aqm/ > Patches : http://caia.swin.edu.au/freebsd/aqm/downloads.html > Documentation: http://caia.swin.edu.au/freebsd/aqm/papers.html > > Regards, > Rasool Al-Saadi > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@freebsd.org Tue May 17 08:17:51 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 68387B3E601; Tue, 17 May 2016 08:17:51 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 340B416C2; Tue, 17 May 2016 08:17:51 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u4H8HY3N074349; Tue, 17 May 2016 01:17:38 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <201605170817.u4H8HY3N074349@gw.catspoiler.org> Date: Tue, 17 May 2016 01:17:34 -0700 (PDT) From: Don Lewis Subject: Re: Dummynet AQM version 0.2.1 To: nike_d@cytexbg.com cc: ralsaadi@swin.edu.au, freebsd-ipfw@freebsd.org, garmitage@swin.edu.au, freebsd-net@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2016 08:17:51 -0000 On 17 May, Nikolay Denev wrote: > Hi Rasool, > > Is the patch supposed to work if DUMMYNET is compiled in the kernel? > I've applied it and rebuilt my kernel by I still see only FIFO, PRIQ, > QFQ, RR and WF2Q+ in dmesg. I suspect that the new files need to be added to /usr/src/sys/conf/files. From owner-freebsd-ipfw@freebsd.org Tue May 17 16:31:25 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EFA65B3F493 for ; Tue, 17 May 2016 16:31:25 +0000 (UTC) (envelope-from stepheng@switchways.com) Received: from mail-pa0-x22c.google.com (mail-pa0-x22c.google.com [IPv6:2607:f8b0:400e:c03::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C9AAA2F87 for ; Tue, 17 May 2016 16:31:25 +0000 (UTC) (envelope-from stepheng@switchways.com) Received: by mail-pa0-x22c.google.com with SMTP id xk12so8194273pac.0 for ; Tue, 17 May 2016 09:31:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=switchways-com.20150623.gappssmtp.com; s=20150623; h=to:subject:from:message-id:disposition-notification-to:date :user-agent:mime-version; bh=YcgGA4qqN4uPv15rAJV3QBG35UjeIYWEWLYzDla/Z5U=; b=Z5dpEE08CCa9aGbtvugXvGZGXHEcMn6u0MnJIyDTRrlsZILbppsR6RNIpjTc5fvF6w Fz0Rrf+RbXTt0JMevp2T0F560d4AHmfYHQIaJoRM1PaJIoeOUt/I4rgLu6Jp/rw/kspR r8nQ65A/mA1Z08FBaiH+Q1ES7IeLCM4XkhpAPpDjCa5qnkBnPI1BdQlBuoY5giKG48KW +ZHmP5pYPaMg/C1VK+aNlC/jtPjY0smB3MWhAP1JpScL99Lnqqf9ihnflMluk3/i49No ZR9XwZ2gJ1e9Fv14tmDIqRjvRRYGcDuP3IvfJ4nIb4LrVPzyBTHtKSCiZQ5pZTsks4BV 9rUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:subject:from:message-id :disposition-notification-to:date:user-agent:mime-version; bh=YcgGA4qqN4uPv15rAJV3QBG35UjeIYWEWLYzDla/Z5U=; b=IYriqu8JtLpMzgVCN0C58pLYmTrpypL3KNd3PHPR5Vwg6XHIvQacSKRTIZL+bC5adc xABRSFEkI8Mj9xcxd0EktGos/fuqjszgvQFXoHEjF+f/sKEvGQtHIRdzoFiX7OfB4/SV kd4coyyRPWDFp8wNPPiSTjCSlAWSFfmO6/a3n/mGkkcxYxYpSeAFtsXnimfbTMHodDCt yMQOeqZzaXu25CRemQI7MwF2r6M8Dl5mw4ZLWiIJURUzPHvYA6PaW0KXBoa0/MNmwoVC 8pBa4V0JoRm6EuHX/8DUW9+/WaGbYOx7ZWOcviDX3nToUZVVftNPiFaJEYBRiT/Pk61Q qixQ== X-Gm-Message-State: AOPr4FVtLE3YdLuIm7GcNTJICCsXlRFJ2FPAlEiFb5GDgruTWZfixnUUJ9YSz28993b5NA== X-Received: by 10.66.241.73 with SMTP id wg9mr3356586pac.91.1463502685197; Tue, 17 May 2016 09:31:25 -0700 (PDT) Received: from [127.0.0.1] ([103.6.157.158]) by smtp.gmail.com with ESMTPSA id n66sm5975406pfb.17.2016.05.17.09.31.23 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 May 2016 09:31:24 -0700 (PDT) To: freebsd-ipfw@freebsd.org Subject: Women's List From: Stephen Griffiths Message-ID: <7fc05734-4500-72ec-e036-cfd96ff84adb@switchways.com> Date: Tue, 17 May 2016 12:16:33 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:45.0) Gecko/20100101 Thunderbird/45.0 MIME-Version: 1.0 X-Antivirus: avast! (VPS 160517-2, 17-05-2016), Outbound message X-Antivirus-Status: Clean Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 May 2016 16:31:26 -0000 Hi, Hope this email finds you well! Would you be interested in acquiring an email list of "Women's List" from USA? We also have data for Senior citizen lists, Mom's list, Food Enthusiasts, Health and fitness Enthusiasts, Outdoor Enthusiasts, Spa and resort visitors, Students list, Apparel Buyers, Accessories Buyers, Jewellery buyers, Watch Buyers, Luxury Brand Buyers, Sports Enthusiasts, HNI List and many more. Each record in the list contains contact Name (First, Middle and Last Name), Mailing Address, List type and Opt-in email address. All the contacts are opt-in verified, 100% permission based and can be used for unlimited multi-channel marketing. Please let me know your thoughts towards procuring the Women's List. Best Regards, Stephen Griffiths Research Analyst We respect your privacy, if you do not wish to receive any further emails from our end, please reply with a subject “Leave Out”. --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus From owner-freebsd-ipfw@freebsd.org Wed May 18 00:57:09 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76A3BB3DAC9; Wed, 18 May 2016 00:57:09 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from gw.catspoiler.org (unknown [IPv6:2602:304:b010:ef20::f2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gw.catspoiler.org", Issuer "gw.catspoiler.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 57ECD1E7E; Wed, 18 May 2016 00:57:09 +0000 (UTC) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.15.2/8.15.2) with ESMTP id u4I0upmd077299; Tue, 17 May 2016 17:56:55 -0700 (PDT) (envelope-from truckman@FreeBSD.org) Message-Id: <201605180056.u4I0upmd077299@gw.catspoiler.org> Date: Tue, 17 May 2016 17:56:51 -0700 (PDT) From: Don Lewis Subject: Re: Dummynet AQM version 0.2.1 To: nike_d@cytexbg.com cc: ralsaadi@swin.edu.au, freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org, garmitage@swin.edu.au In-Reply-To: <201605170817.u4H8HY3N074349@gw.catspoiler.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2016 00:57:09 -0000 On 17 May, To: nike_d@cytexbg.com wrote: > On 17 May, Nikolay Denev wrote: >> Hi Rasool, >> >> Is the patch supposed to work if DUMMYNET is compiled in the kernel? >> I've applied it and rebuilt my kernel by I still see only FIFO, PRIQ, >> QFQ, RR and WF2Q+ in dmesg. > > I suspect that the new files need to be added to > /usr/src/sys/conf/files. Index: sys/conf/files =================================================================== --- sys/conf/files (revision 300005) +++ sys/conf/files (working copy) @@ -3789,8 +3789,12 @@ netnatm/natm.c optional natm netnatm/natm_pcb.c optional natm netnatm/natm_proto.c optional natm +netpfil/ipfw/dn_aqm_codel.c optional inet dummynet +netpfil/ipfw/dn_aqm_pie.c optional inet dummynet netpfil/ipfw/dn_heap.c optional inet dummynet netpfil/ipfw/dn_sched_fifo.c optional inet dummynet +netpfil/ipfw/dn_sched_fq_codel.c optional inet dummynet +netpfil/ipfw/dn_sched_fq_pie.c optional inet dummynet netpfil/ipfw/dn_sched_prio.c optional inet dummynet netpfil/ipfw/dn_sched_qfq.c optional inet dummynet netpfil/ipfw/dn_sched_rr.c optional inet dummynet From owner-freebsd-ipfw@freebsd.org Wed May 18 14:48:42 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C02D9B413B4 for ; Wed, 18 May 2016 14:48:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:1900:2254:206a::19:2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx2.freebsd.org", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AF7A11380; Wed, 18 May 2016 14:48:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from butcher-nb.yandex.net (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx2.freebsd.org (Postfix) with ESMTP id 499E415AC; Wed, 18 May 2016 14:48:41 +0000 (UTC) (envelope-from ae@FreeBSD.org) To: freebsd-ipfw From: "Andrey V. Elsukov" Subject: [RFC] ipfw named states support Cc: lev@FreeBSD.org, luigi@FreeBSD.org, "Alexander V. Chernikov" Message-ID: <573C803E.5020600@FreeBSD.org> Date: Wed, 18 May 2016 17:46:22 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.7.1 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Vi34AKBPEfaJOFBJxbJiTisvi4hUXiEvV" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 May 2016 14:48:42 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Vi34AKBPEfaJOFBJxbJiTisvi4hUXiEvV Content-Type: multipart/mixed; boundary="UHeLs31xeiCGEXG7DTxf9593DlPdPh3k7" From: "Andrey V. Elsukov" To: freebsd-ipfw Cc: lev@FreeBSD.org, luigi@FreeBSD.org, "Alexander V. Chernikov" Message-ID: <573C803E.5020600@FreeBSD.org> Subject: [RFC] ipfw named states support --UHeLs31xeiCGEXG7DTxf9593DlPdPh3k7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi All, We have the patch that adds named states support to ipfw. The idea is that we add a symbolic name-label to each dynamic state in addition to IP addresses, protocol and ports. This introduces new syntax for check-state and keep-state rules: check-state { token | default | any } keep-state { token | default } The @token can contain symbols from the following mask: [a-zA-Z0-9\-_\.]{1,63} How it works ------------ "keep-state NAME" opcode creates state with assigned name NAME. This state can be matched only by 'keep-state NAME' or 'check-state NAME', or 'check-state any' opcodes. The "default" name used for compatibility with old rules. It is assigned to states when you omit the name on rule creating. So, # ipfw add check-state # ipfw add allow ip from any to any keep-state will produce: check-state default allow ip from any to any keep-state default But there is one problem, when your rule has some opcodes after 'keep-state' opcode (e.g. "keep-state in"). Such opcodes can be treated as state name. 'check-state any' matches states independently from the name. Why we need this ---------------- This expands flexibility and functionality. Imagine the situation: [ LAN1 ] <---> [ FW ] <---> [ LAN2 ] add skipto 10000 ip from any to any via lan1 add skipto 20000 ip from any to any via lan2 add deny ip from any to any add 10000 count ip from any to any ... add allow ip from to any keep-state in add deny ip from any to any add 20000 count ip from any to any ... add allow ip from to any keep-state in add deny ip from any to any The problem is that a state created by first keep-state rule will act on second keep-state rule and allow traffic to go into (out from router's point of view) lan2 without any rules actually allowing that. With named states we can create separate states for each interface and they will not match when we don't want this. What I want to discuss ---------------------- 1. Is this feature useful? 2. How to commit it? Due to changed syntax it can break existing rulesets. Probably, we can add some mandatory prefix to state name, e.g. ':'. --=20 WBR, Andrey V. Elsukov --UHeLs31xeiCGEXG7DTxf9593DlPdPh3k7-- --Vi34AKBPEfaJOFBJxbJiTisvi4hUXiEvV Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEbBAEBCAAGBQJXPIA+AAoJEAHF6gQQyKF6T/EH9Rnk0GO69LyOMQnyPTGsHGNp VYK4elU8XDsuOLzfLKs+VO97upYHI+BmUvmzgFifpW7zWphSee2WR0PUUsM32gdy hexIIbnpWS7mW4VeIfnUrOP2Un+j41i3cUGKDqNWThrebqeA9ERS+knNhbkeisiM S5qM4UinEGMxbuGNwEYEZhbfkucj1+heNN6DkndnC/acMAL1fAyOqR8qsn8DMWW5 QH4UlduuxNTu4k4ezzYBmZcRI4RVCbPgJWVOemKVH0fxKkbK1368fpbMSlCgOARd Zv32BcuzobuMMpSHYQ9vAhddjj5KNnrIFAK2mJRTaNmhJ4CjSZLE0Ae8DTEcTw== =qS7k -----END PGP SIGNATURE----- --Vi34AKBPEfaJOFBJxbJiTisvi4hUXiEvV-- From owner-freebsd-ipfw@freebsd.org Sat May 21 20:41:48 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0DE5AB45D9F for ; Sat, 21 May 2016 20:41:48 +0000 (UTC) (envelope-from jack@jarasoft.org) Received: from orac.jarasoft.net (orac.jarasoft.net [37.34.58.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "jarasoft.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C9F331F4A for ; Sat, 21 May 2016 20:41:46 +0000 (UTC) (envelope-from jack@jarasoft.org) Received: from orac.jarasoft.net (orac.jarasoft.net [37.34.58.13]) by orac.jarasoft.net (Postfix) with ESMTP id E06AD10ACC8 for ; Sat, 21 May 2016 22:39:37 +0200 (CEST) Received: from jarasoft.net (orac.jarasoft.net [37.34.58.13]) by orac.jarasoft.net (Postfix) with ESMTP id 9B27F10ACBF for ; Sat, 21 May 2016 22:39:37 +0200 (CEST) Received: from 82.95.230.43 (SquirrelMail authenticated user jack1) by jarasoft.net with HTTP; Sat, 21 May 2016 22:39:37 +0200 Message-ID: <0cb16cbad9293c346cb6938505a9418c.squirrel@jarasoft.net> Date: Sat, 21 May 2016 22:39:37 +0200 Subject: IPW problem From: "Jack Raats" To: freebsd-ipfw@freebsd.org Reply-To: jack@jarasoft.org User-Agent: SquirrelMail/1.4.23 [SVN] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Virus-Scanned: ClamAV using ClamSMTP on orac.jarasoft.net X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 May 2016 20:41:48 -0000 Hi everyone, I have the following problem. My home server has 2 NICs NIC1 bge0 ip-address 10.10.10.30 netmask 255.255.255.0 gateway 10.10.10.100 ADSL connection 10 Mbit/1 Mbit NIC2 bge1 ip-address 10.10.10.32 netmask 255.255.255.0 gateway 10.10.10.200 Cable connection 200 Mbit/20 Mbit I have to use NIC1 for all services I'm running, but when the home server wants to download something e.g. the ports, then it has to use NIC2 How can this be done using IPFW??? IPFW is compiled in the kernel. I'm using FreeBSD 10.3-STABLE Thanks for the help Jack