From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 22 09:31:44 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4FC3F16A4CF; Sun, 22 Feb 2004 09:31:44 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3179143D1F; Sun, 22 Feb 2004 09:31:44 -0800 (PST) (envelope-from dwmalone@FreeBSD.org) Received: from freefall.freebsd.org (dwmalone@localhost [127.0.0.1]) i1MHVibv027953; Sun, 22 Feb 2004 09:31:44 -0800 (PST) (envelope-from dwmalone@freefall.freebsd.org) Received: (from dwmalone@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i1MHVhpU027949; Sun, 22 Feb 2004 09:31:43 -0800 (PST) (envelope-from dwmalone) Date: Sun, 22 Feb 2004 09:31:43 -0800 (PST) From: David Malone Message-Id: <200402221731.i1MHVhpU027949@freefall.freebsd.org> To: oleg@rinet.ru, dwmalone@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: kern/62385: [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Feb 2004 17:31:44 -0000 Synopsis: [PATCH] ipfw2: ip_output() returns ENOBUFS instead of EACCES State-Changed-From-To: open->closed State-Changed-By: dwmalone State-Changed-When: Sun Feb 22 09:31:13 PST 2004 State-Changed-Why: Fixed in -current and -stable. Thanks for the patch. http://www.freebsd.org/cgi/query-pr.cgi?pr=62385 From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 23 08:41:16 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B62F716A4CE; Mon, 23 Feb 2004 08:41:16 -0800 (PST) Received: from kozlik.carrier.kiev.ua (kozlik.carrier.kiev.ua [193.193.193.111]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FC3443D2D; Mon, 23 Feb 2004 08:41:16 -0800 (PST) (envelope-from news@pandora.alkar.net) Received: from news.lucky.net (IDENT:root@news.lucky.net [193.193.193.102]) by kozlik.carrier.kiev.ua with ESMTP id i2NGfBcl055656; Mon, 23 Feb 2004 18:41:12 +0200 (EET) (envelope-from news@pandora.alkar.net) Received: (from mail@localhost) by news.lucky.net (8.Who.Cares/8.Who.Cares) id SNX13265; Mon, 23 Feb 2004 18:36:09 +0200 (envelope-from news@pandora.alkar.net) From: Alexander Motin To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Date: Mon, 23 Feb 2004 18:25:49 +0200 Organization: Alkar Teleport News Server Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------080204090202030100030402" X-Trace: pandora.alkar.net 1077553549 33615 212.86.226.11 (23 Feb 2004 16:25:49 GMT) X-Complaints-To: abuse@alkar.net User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040119 X-Accept-Language: ru, en-us, en In-Reply-To: Sender: Alkar Teleport News Subsystem X-Verify-Sender: verified Subject: Re: Generating 'Fragment Needed but DF was Set' ICMP & Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 16:41:16 -0000 This is a multi-part message in MIME format. --------------080204090202030100030402 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Here are my patches for this problem for FreeBSD 4.8 and 5.2. Review them please. Alexander Motin wrote: > I observe a strange thing. When I create dummynet pipe on output router > interface with lower MTU system stops to generate 'Fragment Needed but > DF was Set' ICMP in cases when it must. If I create this pipe on > incoming interface there is no problem. > > I check this on many routers under 4.8 and 5.2 FreeBSD. > > Is this a bug or feature? :) How pipes can be created leaving ICMP > generation working? -- Alexander Motin --------------080204090202030100030402 Content-Type: text/plain; name="dn_df_48.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="dn_df_48.patch" --- ip_dummynet.c.orig Wed May 28 01:36:02 2003 +++ ip_dummynet.c Sat Feb 21 12:49:11 2004 @@ -81,6 +81,7 @@ #include #include #include +#include #include /* for struct arpcom */ #include @@ -407,6 +408,9 @@ transmit_event(struct dn_pipe *pipe) { struct dn_pkt *pkt ; + struct mbuf *mcopy; + struct ip *ip; + int error, type, code; while ( (pkt = pipe->head) && DN_KEY_LEQ(pkt->output_time, curr_time) ) { /* @@ -426,7 +430,39 @@ */ switch (pkt->dn_dir) { case DN_TO_IP_OUT: - (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); + MGET(mcopy, M_DONTWAIT, pkt->dn_m->m_type); + if (mcopy != NULL && !m_dup_pkthdr(mcopy, pkt->dn_m, M_DONTWAIT)) { + m_free(mcopy); + mcopy = NULL; + } + if (mcopy != NULL) { + ip = mtod(pkt->dn_m, struct ip *); + mcopy->m_len = imin((ip->ip_hl << 2) + 8, + (int)ip->ip_len); + m_copydata(pkt->dn_m, 0, mcopy->m_len, mtod(mcopy, caddr_t)); + } + + error = ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); + + if (mcopy != NULL) { + switch (error) { + case ENETUNREACH: + case EHOSTUNREACH: + case ENETDOWN: + case EHOSTDOWN: + type = ICMP_UNREACH; + code = ICMP_UNREACH_HOST; + icmp_error(mcopy, type, code, 0, pkt->ifp); + break; + case EMSGSIZE: + type = ICMP_UNREACH; + code = ICMP_UNREACH_NEEDFRAG; + icmp_error(mcopy, type, code, 0, pkt->ifp); + break; + default: + m_freem(mcopy); + }; + }; rt_unref (pkt->ro.ro_rt) ; break ; --------------080204090202030100030402 Content-Type: text/plain; name="dn_df_52.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="dn_df_52.patch" --- ip_dummynet.c.orig Mon Dec 8 11:50:54 2003 +++ ip_dummynet.c Sat Feb 21 12:17:44 2004 @@ -73,6 +73,7 @@ #include #include #include +#include #include /* for struct arpcom */ #include @@ -426,6 +427,9 @@ transmit_event(struct dn_pipe *pipe) { struct dn_pkt *pkt ; + struct mbuf *mcopy; + struct ip *ip; + int error, type, code; DUMMYNET_LOCK_ASSERT(); @@ -449,7 +453,39 @@ */ switch (pkt->dn_dir) { case DN_TO_IP_OUT: - (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); + MGET(mcopy, M_DONTWAIT, pkt->dn_m->m_type); + if (mcopy != NULL && !m_dup_pkthdr(mcopy, pkt->dn_m, M_DONTWAIT)) { + m_free(mcopy); + mcopy = NULL; + } + if (mcopy != NULL) { + ip = mtod(pkt->dn_m, struct ip *); + mcopy->m_len = imin((ip->ip_hl << 2) + 8, + (int)ip->ip_len); + m_copydata(pkt->dn_m, 0, mcopy->m_len, mtod(mcopy, caddr_t)); + } + + error = ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); + + if (mcopy != NULL) { + switch (error) { + case ENETUNREACH: + case EHOSTUNREACH: + case ENETDOWN: + case EHOSTDOWN: + type = ICMP_UNREACH; + code = ICMP_UNREACH_HOST; + icmp_error(mcopy, type, code, 0, pkt->ifp); + break; + case EMSGSIZE: + type = ICMP_UNREACH; + code = ICMP_UNREACH_NEEDFRAG; + icmp_error(mcopy, type, code, 0, pkt->ifp); + break; + default: + m_freem(mcopy); + }; + }; rt_unref (pkt->ro.ro_rt, __func__) ; break ; --------------080204090202030100030402-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 23 09:02:59 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B09ED16A4CE for ; Mon, 23 Feb 2004 09:02:59 -0800 (PST) Received: from mailtoaster1.pipeline.ch (mailtoaster1.pipeline.ch [62.48.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 026BB43D31 for ; Mon, 23 Feb 2004 09:02:59 -0800 (PST) (envelope-from andre@freebsd.org) Received: (qmail 34009 invoked from network); 23 Feb 2004 17:02:57 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by mailtoaster1.pipeline.ch (qmail-ldap-1.03) with SMTP for ; 23 Feb 2004 17:02:57 -0000 Message-ID: <403A323C.A8685981@freebsd.org> Date: Mon, 23 Feb 2004 18:02:52 +0100 From: Andre Oppermann X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Alexander Motin References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-ipfw@freebsd.org Subject: Re: Generating 'Fragment Needed but DF was Set' ICMP & Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 17:02:59 -0000 Alexander Motin wrote: > > Here are my patches for this problem for FreeBSD 4.8 and 5.2. > Review them please. Doing a mcopy is pretty ugly... but ip_output() doesn't offer any way of saying "don't flush packet but leave it for icmp error messages". So the better fix would be to teach that to ip_output() and change the callers accordingly. Actually I'll have a patch to do that ready in a couple of hours. Then I'll commit your patch w/o the packet copying stuff. Good catch Alexander, send more(1)! :-) -- Andre > Alexander Motin wrote: > > I observe a strange thing. When I create dummynet pipe on output router > > interface with lower MTU system stops to generate 'Fragment Needed but > > DF was Set' ICMP in cases when it must. If I create this pipe on > > incoming interface there is no problem. > > > > I check this on many routers under 4.8 and 5.2 FreeBSD. > > > > Is this a bug or feature? :) How pipes can be created leaving ICMP > > generation working? > > -- > Alexander Motin > > -------------------------------------------------------------------------------- > --- ip_dummynet.c.orig Wed May 28 01:36:02 2003 > +++ ip_dummynet.c Sat Feb 21 12:49:11 2004 > @@ -81,6 +81,7 @@ > #include > #include > #include > +#include > > #include /* for struct arpcom */ > #include > @@ -407,6 +408,9 @@ > transmit_event(struct dn_pipe *pipe) > { > struct dn_pkt *pkt ; > + struct mbuf *mcopy; > + struct ip *ip; > + int error, type, code; > > while ( (pkt = pipe->head) && DN_KEY_LEQ(pkt->output_time, curr_time) ) { > /* > @@ -426,7 +430,39 @@ > */ > switch (pkt->dn_dir) { > case DN_TO_IP_OUT: > - (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); > + MGET(mcopy, M_DONTWAIT, pkt->dn_m->m_type); > + if (mcopy != NULL && !m_dup_pkthdr(mcopy, pkt->dn_m, M_DONTWAIT)) { > + m_free(mcopy); > + mcopy = NULL; > + } > + if (mcopy != NULL) { > + ip = mtod(pkt->dn_m, struct ip *); > + mcopy->m_len = imin((ip->ip_hl << 2) + 8, > + (int)ip->ip_len); > + m_copydata(pkt->dn_m, 0, mcopy->m_len, mtod(mcopy, caddr_t)); > + } > + > + error = ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); > + > + if (mcopy != NULL) { > + switch (error) { > + case ENETUNREACH: > + case EHOSTUNREACH: > + case ENETDOWN: > + case EHOSTDOWN: > + type = ICMP_UNREACH; > + code = ICMP_UNREACH_HOST; > + icmp_error(mcopy, type, code, 0, pkt->ifp); > + break; > + case EMSGSIZE: > + type = ICMP_UNREACH; > + code = ICMP_UNREACH_NEEDFRAG; > + icmp_error(mcopy, type, code, 0, pkt->ifp); > + break; > + default: > + m_freem(mcopy); > + }; > + }; > rt_unref (pkt->ro.ro_rt) ; > break ; > > > -------------------------------------------------------------------------------- > --- ip_dummynet.c.orig Mon Dec 8 11:50:54 2003 > +++ ip_dummynet.c Sat Feb 21 12:17:44 2004 > @@ -73,6 +73,7 @@ > #include > #include > #include > +#include > > #include /* for struct arpcom */ > #include > @@ -426,6 +427,9 @@ > transmit_event(struct dn_pipe *pipe) > { > struct dn_pkt *pkt ; > + struct mbuf *mcopy; > + struct ip *ip; > + int error, type, code; > > DUMMYNET_LOCK_ASSERT(); > > @@ -449,7 +453,39 @@ > */ > switch (pkt->dn_dir) { > case DN_TO_IP_OUT: > - (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); > + MGET(mcopy, M_DONTWAIT, pkt->dn_m->m_type); > + if (mcopy != NULL && !m_dup_pkthdr(mcopy, pkt->dn_m, M_DONTWAIT)) { > + m_free(mcopy); > + mcopy = NULL; > + } > + if (mcopy != NULL) { > + ip = mtod(pkt->dn_m, struct ip *); > + mcopy->m_len = imin((ip->ip_hl << 2) + 8, > + (int)ip->ip_len); > + m_copydata(pkt->dn_m, 0, mcopy->m_len, mtod(mcopy, caddr_t)); > + } > + > + error = ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); > + > + if (mcopy != NULL) { > + switch (error) { > + case ENETUNREACH: > + case EHOSTUNREACH: > + case ENETDOWN: > + case EHOSTDOWN: > + type = ICMP_UNREACH; > + code = ICMP_UNREACH_HOST; > + icmp_error(mcopy, type, code, 0, pkt->ifp); > + break; > + case EMSGSIZE: > + type = ICMP_UNREACH; > + code = ICMP_UNREACH_NEEDFRAG; > + icmp_error(mcopy, type, code, 0, pkt->ifp); > + break; > + default: > + m_freem(mcopy); > + }; > + }; > rt_unref (pkt->ro.ro_rt, __func__) ; > break ; > > > -------------------------------------------------------------------------------- > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 23 09:07:35 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94A6216A4CE for ; Mon, 23 Feb 2004 09:07:35 -0800 (PST) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57AC343D1F for ; Mon, 23 Feb 2004 09:07:35 -0800 (PST) (envelope-from max@love2party.net) Received: from [212.227.126.205] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1AvJYM-0002p7-00 for freebsd-ipfw@freebsd.org; Mon, 23 Feb 2004 18:07:34 +0100 Received: from [80.131.154.186] (helo=vampire.homelinux.org) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1AvJYL-0002YE-00 for freebsd-ipfw@freebsd.org; Mon, 23 Feb 2004 18:07:33 +0100 Received: (qmail 32912 invoked from network); 23 Feb 2004 17:11:49 -0000 Received: from unknown (HELO fbsd52.laiers.local) (192.168.4.88) by 192.168.4.1 with SMTP; 23 Feb 2004 17:11:49 -0000 From: Max Laier To: Alexander Motin , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Date: Mon, 23 Feb 2004 18:07:29 +0100 User-Agent: KMail/1.5.4 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200402231807.29317.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:e28873fbe4dbe612ce62ab869898ff08 Subject: Re: Generating 'Fragment Needed but DF was Set' ICMP & Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 17:07:35 -0000 On Monday 23 February 2004 17:25, Alexander Motin wrote: > Here are my patches for this problem for FreeBSD 4.8 and 5.2. > Review them please. Looks good, though you might want to make sure to update statistics=20 (ipstat.ips_cantfrag++). And maybe lose the type and code vars - you=20 don't really use them: =2D=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0typ= e =3D ICMP_UNREACH; =2D=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =A0 =A0 =A0 =A0code =3D IC= MP_UNREACH_HOST; =2D=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0icm= p_error(mcopy, type, code, 0, pkt->ifp); + icmp_error(mcopy, ICMP_UNREACH, ICMP_UNREACH_HOST, + 0, pkt->ifp); Also note that this patch will require some work after the MT_TAG remove=20 http://people.freebsd.org/~mlaier/mt_tag_remove.diff as pkt is freed with=20 the mbuf. I'll keep it in mind. =2D-=20 Best regards, | mlaier@freebsd.org Max Laier | ICQ #67774661 http://pf4freebsd.love2party.net/ | mlaier@EFnet From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 23 09:56:57 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9238B16A4CE; Mon, 23 Feb 2004 09:56:57 -0800 (PST) Received: from mail.alkar.net (mail.alkar.net [195.248.191.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1A4E43D1D; Mon, 23 Feb 2004 09:56:56 -0800 (PST) (envelope-from mav@alkar.net) Received: from [195.248.178.122] (HELO alkar.net) by mail.alkar.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 148536741; Mon, 23 Feb 2004 19:56:55 +0200 Message-ID: <403A3EE8.2000302@alkar.net> Date: Mon, 23 Feb 2004 19:56:56 +0200 From: Alexander Motin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030827 X-Accept-Language: ru, uk, en-us, en MIME-Version: 1.0 To: Max Laier References: <200402231807.29317.max@love2party.net> In-Reply-To: <200402231807.29317.max@love2party.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-ipfw@freebsd.org Subject: Re: Generating 'Fragment Needed but DF was Set' ICMP & Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 17:56:57 -0000 Max Laier wrote: > On Monday 23 February 2004 17:25, Alexander Motin wrote: > >>Here are my patches for this problem for FreeBSD 4.8 and 5.2. >>Review them please. > > > Looks good, though you might want to make sure to update statistics > (ipstat.ips_cantfrag++). It is already incremented inside ip_output(). > And maybe lose the type and code vars - you > don't really use them: > - type = ICMP_UNREACH; > - code = ICMP_UNREACH_HOST; > - icmp_error(mcopy, type, code, 0, pkt->ifp); > + icmp_error(mcopy, ICMP_UNREACH, ICMP_UNREACH_HOST, > + 0, pkt->ifp); Of course. As you wish. :) > Also note that this patch will require some work after the MT_TAG remove > http://people.freebsd.org/~mlaier/mt_tag_remove.diff as pkt is freed with > the mbuf. I'll keep it in mind. Yes, but this was only the sample to highlight the problem. :) There also some part of code from ip_forward() about IPSEC MTU can be duplicated. -- Alexander Motin mav@alkar.net ISP "Alkar-Teleport" From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 23 10:03:53 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6885316A4CE; Mon, 23 Feb 2004 10:03:53 -0800 (PST) Received: from mail.alkar.net (mail.alkar.net [195.248.191.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FB2B43D1D; Mon, 23 Feb 2004 10:03:52 -0800 (PST) (envelope-from mav@alkar.net) Received: from [195.248.178.122] (HELO alkar.net) by mail.alkar.net (CommuniGate Pro SMTP 4.1.8) with ESMTP id 148538026; Mon, 23 Feb 2004 20:03:50 +0200 Message-ID: <403A4085.6070202@alkar.net> Date: Mon, 23 Feb 2004 20:03:49 +0200 From: Alexander Motin User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030827 X-Accept-Language: ru, uk, en-us, en MIME-Version: 1.0 To: Andre Oppermann References: <403A323C.A8685981@freebsd.org> In-Reply-To: <403A323C.A8685981@freebsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-net@freebsd.org cc: freebsd-ipfw@freebsd.org Subject: Re: Generating 'Fragment Needed but DF was Set' ICMP & Dummynet X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 18:03:53 -0000 Andre Oppermann wrote: > Alexander Motin wrote: > >>Here are my patches for this problem for FreeBSD 4.8 and 5.2. >>Review them please. > > Doing a mcopy is pretty ugly... but ip_output() doesn't offer any way > of saying "don't flush packet but leave it for icmp error messages". > > So the better fix would be to teach that to ip_output() and change > the callers accordingly. Actually I'll have a patch to do that ready > in a couple of hours. Then I'll commit your patch w/o the packet > copying stuff. This was taken from ip_forward(). :) If you say that it can be reworked here then it can be reworked there too for increasing performance. -- Alexander Motin mav@alkar.net ISP "Alkar-Teleport" From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 23 11:02:07 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2765616A4D0 for ; Mon, 23 Feb 2004 11:02:07 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 223F843D2F for ; Mon, 23 Feb 2004 11:02:06 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.10/8.12.10) with ESMTP id i1NJ26bv035640 for ; Mon, 23 Feb 2004 11:02:06 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i1NJ26Tw035634 for ipfw@freebsd.org; Mon, 23 Feb 2004 11:02:06 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 23 Feb 2004 11:02:06 -0800 (PST) Message-Id: <200402231902.i1NJ26Tw035634@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 19:02:07 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/29] kern/60719 ipfw ipfw: Headerless fragments generate cryp 10 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 25 10:55:56 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2249F16A4CE for ; Wed, 25 Feb 2004 10:55:56 -0800 (PST) Received: from numeri.campus.luth.se (numeri.campus.luth.se [130.240.197.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75CCF43D1F for ; Wed, 25 Feb 2004 10:55:55 -0800 (PST) (envelope-from k@numeri.campus.luth.se) Received: from numeri.campus.luth.se (localhost [127.0.0.1]) i1PItsRv060931 for ; Wed, 25 Feb 2004 19:55:54 +0100 (CET) (envelope-from k@numeri.campus.luth.se) Received: (from k@localhost) by numeri.campus.luth.se (8.12.10/8.12.10/Submit) id i1PItrxr060930 for ipfw@freebsd.org; Wed, 25 Feb 2004 19:55:53 +0100 (CET) (envelope-from k) Date: Wed, 25 Feb 2004 19:55:53 +0100 From: Johan Karlsson To: ipfw@freebsd.org Message-ID: <20040225185553.GA53607@numeri.campus.luth.se> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: WARNS cleanup for ip6fw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 18:55:56 -0000 --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi I intend to commit the attached patch to make ip6fw WARNS=2 clean. It removes an unused variable and includes to get a prototype for the _long_to_time function. Any objections? /Johan K -- Johan Karlsson mailto:johan@FreeBSD.org --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ip6fw.diff" Index: sbin/ip6fw/Makefile =================================================================== RCS file: /home/ncvs/src/sbin/ip6fw/Makefile,v retrieving revision 1.5 diff -u -r1.5 Makefile --- sbin/ip6fw/Makefile 23 Feb 2004 20:13:52 -0000 1.5 +++ sbin/ip6fw/Makefile 25 Feb 2004 18:44:20 -0000 @@ -1,7 +1,7 @@ # $FreeBSD: src/sbin/ip6fw/Makefile,v 1.5 2004/02/23 20:13:52 johan Exp $ PROG= ip6fw -WARNS?= 0 +WARNS?= 2 MAN= ip6fw.8 .include Index: sbin/ip6fw/ip6fw.c =================================================================== RCS file: /home/ncvs/src/sbin/ip6fw/ip6fw.c,v retrieving revision 1.16 diff -u -r1.16 ip6fw.c --- sbin/ip6fw/ip6fw.c 18 Feb 2004 15:56:53 -0000 1.16 +++ sbin/ip6fw/ip6fw.c 25 Feb 2004 18:47:30 -0000 @@ -68,6 +68,7 @@ #include #include #include +#include #include #include #include @@ -839,8 +840,6 @@ ifu->fu_via_ip6 = in6addr_any; *byname = 0; } else if (!isdigit(*arg)) { - char *q; - *byname = 1; strlcpy(ifu->fu_via_if.name, arg, sizeof(ifu->fu_via_if.name)); /* --1yeeQ81UyVL57Vl7-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 26 22:19:15 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2854716A4CE for ; Thu, 26 Feb 2004 22:19:15 -0800 (PST) Received: from freebsd.org (unknown [193.140.144.11]) by mx1.FreeBSD.org (Postfix) with SMTP id DD21D43D2D for ; Thu, 26 Feb 2004 22:18:57 -0800 (PST) (envelope-from rizzo@icir.org) From: rizzo@icir.org To: freebsd-ipfw@freebsd.org Date: Fri, 27 Feb 2004 08:18:46 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="28784266" Message-Id: <20040227061857.DD21D43D2D@mx1.FreeBSD.org> X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: information X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 06:19:15 -0000 --28784266 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit something is going wrong --28784266-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 27 05:09:38 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3766E16A503 for ; Fri, 27 Feb 2004 05:09:38 -0800 (PST) Received: from mail.zvezda.number.ru (unknown [213.247.150.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83B4743D1F for ; Fri, 27 Feb 2004 05:09:37 -0800 (PST) (envelope-from blacksir@number.ru) Received: from host212-5-99-220.izmaylovo.ru ([212.5.99.220] helo=blacksir) by mail.zvezda.number.ru with smtp (Exim) id 1Awhk7-00051h-6J for ; Fri, 27 Feb 2004 16:09:27 +0300 From: "Vasenin Alexander aka BlackSir" To: "Freebsd-Ipfw@Freebsd. Org" Date: Fri, 27 Feb 2004 16:09:22 +0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal X-Spam-Score: -100.0 (---------------------------------------------------) X-Spam-Report: Spam detection software, running on the system "inet.zvezda.number.ru", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details. Content preview: Anyone tried to use kern/60377 patch with ipfw2? (Solving 'tee' problem)it (with the final correction(misplaced return)), recompiled kernel & ipfw. When I type `ipfw sh` I've got only error message ipfw: getsockopt(IP_FW_GET): Protocol not available Attempt to add any rule follows this message: ipfw: getsockopt(IP_FW_ADD): Protocol not available Maybe this patch & ipfw2 cannot coexist? BlackSir [...] Content analysis details: (-100.0 points, 5.0 required) pts rule name description -------------------------------------------------- -100 USER_IN_WHITELIST From: address is in the user's white-list Subject: ipfw2 & kern/60377 patch (tee) does not work together? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 13:09:38 -0000 Anyone tried to use kern/60377 patch with ipfw2? (Solving 'tee' problem) http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/60377 I've installed it (with the final correction(misplaced return)), recompiled kernel & ipfw. When I type `ipfw sh` I've got only error message ipfw: getsockopt(IP_FW_GET): Protocol not available Attempt to add any rule follows this message: ipfw: getsockopt(IP_FW_ADD): Protocol not available Maybe this patch & ipfw2 cannot coexist? BlackSir From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 27 08:39:14 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F29F416A4CE for ; Fri, 27 Feb 2004 08:39:13 -0800 (PST) Received: from conch.msen.com (msen.com [148.59.19.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF19043D2D for ; Fri, 27 Feb 2004 08:39:13 -0800 (PST) (envelope-from mgoward@mail.msen.com) Received: from conch.msen.com (mgoward@localhost [127.0.0.1]) by conch.msen.com (8.12.10/8.12.10) with ESMTP id i1RGdDOk011789 for ; Fri, 27 Feb 2004 11:39:13 -0500 (EST) Received: (from mgoward@localhost) by conch.msen.com (8.12.10/8.12.10/Submit) id i1RGdCxx011788 for freebsd-ipfw@freebsd.org; Fri, 27 Feb 2004 11:39:12 -0500 (EST) Date: Fri, 27 Feb 2004 11:39:12 -0500 From: Matthew Goward To: freebsd-ipfw@freebsd.org Message-ID: <20040227113912.S8241@conch.msen.com> Mail-Followup-To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Subject: Gathering data via Divert Sockets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2004 16:39:14 -0000 I am currently playing with a toy app using divert and ipfw on 5.2.1. One of the bits of info I am trying to get ahold of is the rule number in ipfw that sent the diverted packet over to me. The DIVERT(4) man page states: Diverted packets may be read unaltered via read(2), recv(2), or recvfrom(2). In the latter case, the address returned will have its port set to some tag supplied by the packet diverter, (usually the ipfw rule number) But I cant seem to get it to do so, nor am i really sure I want it to do so. I still need the source and dest ip and ports, along with the IPFW rule number. Here is a bit of what I have (all the error checking and setup stuff pulled out for brievity) get a socket fd=socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT)) bind to it: bindPort.sin_family=AF_INET; bindPort.sin_port=htons(atol(port)); bindPort.sin_addr.s_addr=0; if ((ret=bind(fd,(struct sockaddr *) &bindPort, sizeof(struct sockaddr_in))) != 0) { blah blah error checking} stolen from the divert socket mini faq to try and use the data start grabbing data: sinlen=sizeof(struct sockaddr_in); while(1) { n=recvfrom(fd, packet, BUFSIZE, 0, (struct sockaddr *) &sin, &sinlen); iphdr=(struct ip*)packet; if (iphdr->ip_p == IPPROTO_TCP) { tcphdr = (struct tcphdr *) (packet + sizeof(struct ip)); } else if (iphdr->ip_p == IPPROTO_UDP) { udphdr = (struct udphdr *) (packet + sizeof(struct ip)); } printf("\n"); printf("%s: Source address: %s\n",progname, inet_ntoa(iphdr->ip_src)); if (iphdr->ip_p == IPPROTO_TCP) printf("%s: Source port: %d\n",progname, ntohs(tcphdr->th_sport)); printf("%s: Destination address: %s\n", progname, inet_ntoa(iphdr->ip_dst)); if (iphdr->ip_p == IPPROTO_TCP) printf("%s: Destination port: %d\n\n",progname, ntohs(tcphdr->th_dport)); printf("%s: Receiving IF address: %s\n", progname, inet_ntoa(sin.sin_addr)); printf("%s: Protocol number: %i\n", progname, iphdr->ip_p); printf("%s: Header length: %i\n", progname, iphdr->ip_hl); printf("%s: Header ttl: %i\n", progname, iphdr->ip_ttl); printf("%s: Header sum: %i\n\n", progname, iphdr->ip_sum); if (iphdr->ip_p == IPPROTO_TCP) { printf("%s: Sequence Number %d\n",progname, ntohs(tcphdr->th_seq)); printf("%s: Acknowledgement Number %d\n\n",progname, ntohs(tcphdr->th_ack)); } } And it all works as you would expect. This really was from source port 1360 and to port 25. The packet in hex: 69 16 00 52 247 230 64 00 64 06 61 91 192 168 66 11 192 168 66 22 05 80 00 25 49 238 186 32 30 184 225 162 128 16 226 64 195 168 00 00 01 01 08 10 27 81 180 235 00 38 09 44 Source address: 192.168.66.11 Source port: 1360 Destination address: 192.168.66.22 Destination port: 25 Receiving IF address: 192.168.66.22 Protocol number: 6 Header length: 5 Header ttl: 64 Header sum: 23357 Sequence Number 12782 Acknowledgement Number 7864 DIVERT 52 bytes 52 bytes reinjected. Now, I need the data this way as i am also stuffing it off to a file in pcap format. But from reading the divert man page I would expect to see the rule number somewhere. Sorry to have rambled on so much. I just want to know how I can continue to get all the data I have now, but also find out what rule number ipfw is hitting on before diverting to me. Thank you so much for you help, Matthew Goward m g o w a r d @ e v i l o v e r l o r d . o r g mgoward@IneedAname 906> uname -a FreeBSD IneedAname 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #2: Thu Feb 26 12:57:33 GMT 2004 +root@IneedAname:/usr/obj/usr/src/sys/MATT i38 mgoward@IneedAname 909> diff MATT GENERIC 49c49 < options SCSI_DELAY=2000 #Delay (in ms) before probing SCSI --- > options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI 60,69d59 < options IPFIREWALL #firewall < options IPFIREWALL_VERBOSE #enable logging to syslogd(8) < options IPDIVERT #divert sockets < options IPFIREWALL_VERBOSE_LIMIT=100 < #options IPFIREWALL_DEFAULT_TO_ACCEPT < options RANDOM_IP_ID < options DUMMYNET < options TCP_DROP_SYNFIN < options IPSTEALTH < #options "ICMP_BANDLIM" 00001 48 2549 divert 5555 tcp from 192.168.66.11 to 192.168.66.22 dst-port 25 00001 0 0 divert 5555 udp from 192.168.55.22 to 192.168.66.22 dst-port 25 00002 0 0 divert 5555 tcp from 192.168.66.22 25 to 192.168.55.22 00002 0 0 divert 5555 udp from 192.168.66.22 25 to 192.168.55.22 00100 54 2914 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 34423 9607284 allow ip from any to any 65535 0 0 deny ip from any to any ipfw2 initialized, divert enabled, rule-based forwarding enabled, default to deny, logging limited to 100 packets/entry by +default if anything else would be helpfull let me know. From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 28 01:31:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA2A216A4CE for ; Sat, 28 Feb 2004 01:31:20 -0800 (PST) Received: from tiamat.astral-on.net (mail.astral-on.net [193.41.4.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA82B43D2F for ; Sat, 28 Feb 2004 01:31:18 -0800 (PST) (envelope-from ad@astral-on.net) Received: from odin.astral-on.net (odin.astral-on.net [193.41.4.6]) by mail.astral-on.net (8.12.11/8.12.11) with ESMTP id i1S9UuJo060123 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 28 Feb 2004 11:30:57 +0200 (EET) (envelope-from ad@astral-on.net) Received: from odin.astral-on.net (localhost.astral-on.net [127.0.0.1]) by odin.astral-on.net (8.12.8p2/8.12.8) with ESMTP id i1S9Uu41041892 for ; Sat, 28 Feb 2004 11:30:56 +0200 (EET) (envelope-from ad@odin.astral-on.net) Received: (from ad@localhost) by odin.astral-on.net (8.12.8p2/8.12.8/Submit) id i1S9Ut9E041891 for freebsd-ipfw@freebsd.org; Sat, 28 Feb 2004 11:30:55 +0200 (EET) Date: Sat, 28 Feb 2004 11:30:55 +0200 From: Andrew Degtiariov To: "Freebsd-Ipfw@Freebsd. Org" Message-ID: <20040228093055.GA41503@astral-on.net> Mail-Followup-To: "Freebsd-Ipfw@Freebsd. Org" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.63 X-Spam-Report: * -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.0000] X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on tiamat.astral-on.net Subject: Re: ipfw2 & kern/60377 patch (tee) does not work together? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ad@astral-on.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2004 09:31:21 -0000 It's work for me. $uname -mrs FreeBSD 4.9-RELEASE-p2 i386 $ My kernel config contains following lines: options IPFIREWALL_FORWARD options IPFIREWALL_VERBOSE options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFW2 options IPDIVERT options DUMMYNET And in /etc/make.conf: IPFW2=true Luigi, can you see at kern/60377 and review its? On Fri, Feb 27, 2004 at 04:09:22PM +0300, Vasenin Alexander aka BlackSir wrote: > Anyone tried to use kern/60377 patch with ipfw2? (Solving 'tee' problem) > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/60377 > I've installed it (with the final correction(misplaced return)), recompiled > kernel & ipfw. When I type `ipfw sh` I've got only error message ipfw: > getsockopt(IP_FW_GET): Protocol not available > Attempt to add any rule follows this message: ipfw: getsockopt(IP_FW_ADD): > Protocol not available > Maybe this patch & ipfw2 cannot coexist? > BlackSir > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" -- Andrew Degtiariov DA-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 28 09:29:52 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 133D916A4CE for ; Sat, 28 Feb 2004 09:29:52 -0800 (PST) Received: from mail.zvezda.number.ru (unknown [213.247.150.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 916DE43D1D for ; Sat, 28 Feb 2004 09:29:51 -0800 (PST) (envelope-from blacksir@number.ru) Received: from host212-5-99-220.izmaylovo.ru ([212.5.99.220] helo=blacksir) by mail.zvezda.number.ru with smtp (Exim) id 1Ax8HQ-0009QN-Hw; Sat, 28 Feb 2004 20:29:36 +0300 From: "Vasenin Alexander aka BlackSir" To: , "Freebsd-Ipfw@Freebsd. Org" Date: Sat, 28 Feb 2004 20:29:30 +0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20040228093055.GA41503@astral-on.net> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal X-Spam-Score: -100.0 (---------------------------------------------------) X-Spam-Report: Spam detection software, running on the system "inet.zvezda.number.ru", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details.like one need to recompile libalias library(in addition to kernel&ipfw) to get it work... Vasenin Alexader aka BlackSir > Content analysis details: (-100.0 points, 5.0 required) pts rule name description -------------------------------------------------- -100 USER_IN_WHITELIST From: address is in the user's white-list Subject: RE: ipfw2 & kern/60377 patch (tee) does not work together? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Feb 2004 17:29:52 -0000 After some magic manipulations it works... Seems like one need to recompile libalias library(in addition to kernel&ipfw) to get it work... Vasenin Alexader aka BlackSir > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Andrew Degtiariov > Sent: Saturday, February 28, 2004 12:31 PM > To: Freebsd-Ipfw@Freebsd. Org > Subject: Re: ipfw2 & kern/60377 patch (tee) does not work together? > > > It's work for me. > $uname -mrs > FreeBSD 4.9-RELEASE-p2 i386 From owner-freebsd-ipfw@FreeBSD.ORG Sat Feb 28 16:48:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7951816A4CE for ; Sat, 28 Feb 2004 16:48:22 -0800 (PST) Received: from bsd1.hostthecoast.org (dsl-230-142.ipns.com [209.210.230.142]) by mx1.FreeBSD.org (Postfix) with SMTP id DF17443D1F for ; Sat, 28 Feb 2004 16:48:19 -0800 (PST) (envelope-from jtd@hostthecoast.org) Received: (qmail 2011 invoked from network); 29 Feb 2004 00:49:02 -0000 Received: from unknown (HELO host1) (10.2.1.51) by bsd1.hostthecoast.org with SMTP; 29 Feb 2004 00:49:02 -0000 Message-ID: <001101c3fe5e$1ae25f90$3301020a@hostthecaost.org> From: "J.T. Davies" To: Date: Sat, 28 Feb 2004 16:51:02 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: TCP established flag & ipfw rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Feb 2004 00:48:22 -0000 Hello everyone, I'm on the road to setting up a (hopefully) secure firewall to keep the bad people out. I got to thinking -- I see (semi-frequently) in docs a rule at the top of the list much like: ipfw add 100 allow ip from any to any established ...and here's where the thinking part comes in... Is it possible to (spoof isn't the correct verbage) override the TCP flags on packets, thereby defeating the intent of the aforementioned rule? I mean, if I had the knowledge (and the evil intent to do so) to create a program that added the EST flag onto the TCP packets...rule 100 would accept the packet, thereby allowing access to anything behind the firewall...no? Thoughts? Or is this a non-issue due to the stringent authoring of the TCP/IP protocol? Thanks! J.T.