From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 4 09:07:22 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BA0916A4CE for ; Mon, 4 Apr 2005 09:07:22 +0000 (GMT) Received: from mail2-new.vianetworks.nl (mail2-new.vianetworks.nl [212.61.9.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A36C43D48 for ; Mon, 4 Apr 2005 09:07:21 +0000 (GMT) (envelope-from bts@iae.nl) Received: from anaconda (jugar.iae.nl [212.61.26.58]) by mail2-new.vianetworks.nl (Postfix) with SMTP id F2268544E1F; Mon, 4 Apr 2005 11:07:19 +0200 (CEST) From: "Martin" To: "freebsd-ipfw@freebsd.org" , "Sergei Gnezdov" , "sergei@gnezdov.net" Date: Mon, 04 Apr 2005 10:06:48 +0200 (CDT) Priority: Normal X-Mailer: PMMail 2.20.2380 for OS/2 Warp 4.5 In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> Subject: Re: DHCP with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Martin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2005 09:07:22 -0000 ON 5+, you also have to open up the MAC layer FW: ipfw add allow mac via xl0 If the DHCP server is slow and did not reply back before the dhclient did continue the boot process, you maybe you do have to reload the FW rules once your DHCP connection is established. /Martin On Fri, 25 Mar 2005 05:07:30 +0000 (UTC), Sergei Gnezdov wrote: >/etc/rc.conf: > > ifconfig_rl0="DHCP" > > firewall_type="client" > firewall_enable="YES" > >When my machine boots firewall is initialized before DHCP obtains IP >address. This results in incomplete firewall configuration. How do I >fix this? > >My /etc/rc.firewall initialized with the following commands: > > net=`ifconfig rl0 | grep "inet " | awk '{print $6}'` > mask="255.255.255.0" > ip=`ifconfig rl0 | grep "inet " | awk '{print $2}'` > > > >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 4 11:02:24 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB82416A4CE for ; Mon, 4 Apr 2005 11:02:24 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2F8943D62 for ; Mon, 4 Apr 2005 11:02:24 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j34B2OsF012669 for ; Mon, 4 Apr 2005 11:02:24 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j34B2OWI012663 for ipfw@freebsd.org; Mon, 4 Apr 2005 11:02:24 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 4 Apr 2005 11:02:24 GMT Message-Id: <200504041102.j34B2OWI012663@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2005 11:02:25 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp o [2003/12/11] kern/60154 ipfw ipfw core (crash) o [2004/03/03] kern/63724 ipfw IPFW2 Queues dont t work f [2004/03/25] kern/64694 ipfw [ipfw] UID/GID matching in ipfw non-funct o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw ipfw2/1 conflict not detected or reported o [2004/12/25] i386/75483 ipfw ipfw count does not count 8 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/26] kern/55984 ipfw [patch] time based firewalling support fo o [2003/12/30] kern/60719 ipfw ipfw: Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw ipfw: install_state warning about already o [2004/09/04] kern/71366 ipfw "ipfw fwd" sometimes rewrites destination 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 4 20:03:32 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 978EF16A4CE for ; Mon, 4 Apr 2005 20:03:32 +0000 (GMT) Received: from fosho.putnamville.com (adsl-69-104-98-165.dsl.snfc21.pacbell.net [69.104.98.165]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0A3F43D55 for ; Mon, 4 Apr 2005 20:03:31 +0000 (GMT) (envelope-from filter@fosho.putnamville.com) Received: from localhost (localhost [127.0.0.1]) (uid 503) by fosho.putnamville.com with local; Mon, 04 Apr 2005 13:03:55 -0700 id 000F0622.42519DAB.000017A7 To: freebsd-ipfw@freebsd.org From: "aw-confirm@ebay.com" Message-ID: Date: Mon, 04 Apr 2005 13:03:55 -0700 Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_boundary-0001-6055" Subject: Your Final Warning From eBay X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2005 20:03:32 -0000 This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_boundary-0001-6055 Content-Type: text/plain; format=flowed; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Comment: The following content can be customized provided that: Comment: 1) These MIME headers are preserved (you may change the charset Comment: or drop format=flowed). Comment: 2) This content is manually quoted-printable encoded, it MUST NOT Comment: contain 8-bit text. Comment: 'fosho.putnamville.com' below is replaced by server name. CORRUPTED MESSAGE This is the Courier Mail Server 0.48 on fosho.putnamville.com. I received the following message for delivery to your address. This message contains several internal formatting errors. This is often caused by viruses that attempt to infect remote systems. Instead of blocking this message, it has been converted as a safe, text-only attachment that can be safely read with a text editor. This sometimes also happens when the sender's mail software has a bug that creates improperly-formatted messages. Although these kinds of formatting errors may often be ignored by other mail servers, this server detects and intercepts improperly-coded messages in order to prevent viruses from taking advantage of bugs in E-mail programs: ----------------------------------------------------------------------------- This message contains improperly-formatted binary content, or attachment. See for more information. ----------------------------------------------------------------------------- --=_boundary-0001-6055 Content-Type: text/plain; charset=iso-8859-1 X-Original-Content-Type: message/rfc822 Content-Disposition: attachment; filename="message.txt" Content-Transfer-Encoding: 8bit Received: from localhost (localhost [127.0.0.1]) (uid 503) by fosho.putnamville.com with local; Mon, 04 Apr 2005 13:03:55 -0700 id 000F0622.42519DAB.000017A7 To: freebsd-ipfw@freebsd.org Subject: Your Final Warning From eBay From: "aw-confirm@ebay.com" Content-Type: text/html Message-ID: Date: Mon, 04 Apr 2005 13:03:55 -0700
Place or Update Credit Card on File 

Dear eBay,

During our regulary schedule account maintenance and verification we have detected a slight error in your billing information on file with eBay. This might be due to either following reasons:

             - A recent change in your personal information (i.e. change of address)
             - Submiting invalid information during the initial sign up process.
             - An inability to accurately verify your selected option of payment due an internal error within
               our processors.

Your credit card on file with eBay    
Card number: XXXX-XXXX-XXXX-4322 (Not shown for security purposes)  Expiration date: 11/05

Please sign in to your eBay account and update your billing information:

http://signin.ebay.com/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US" >

If your account information is not update, your ability to sell or bid on eBay will become restricted.

Thank you,
eBay Billing Department

eBay treats your personal information with the utmost care, and our Privacy Policy is designed to protect you and your information. eBay will never ask their users for personal information, such as bank account numbers, credit card numbers, pin numbers, passwords, or Social Security numbers in an email. For more information on how to protect your eBay password and your account, please visit User Account Protection.
This eBay notice was sent to you based on your eBay account preferences and in accordance with our Privacy Policy. To change your notification preferences, click here. If you would like to receive this email in text format, click here.

Copyright © 2004 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective owners.
eBay and the eBay logo are trademarks of eBay Inc.

--=_boundary-0001-6055-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 4 23:25:47 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70A1716A4CE for ; Mon, 4 Apr 2005 23:25:47 +0000 (GMT) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 633CC43D49 for ; Mon, 4 Apr 2005 23:25:46 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] ([200.152.82.190]) by msrv.matik.com.br (8.13.1/8.12.11) with ESMTP id j34NSdFr048497; Mon, 4 Apr 2005 20:28:39 -0300 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: freebsd-ipfw@freebsd.org, Martin Date: Mon, 4 Apr 2005 20:25:14 -0300 User-Agent: KMail/1.7.2 References: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> In-Reply-To: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504042025.18092.asstec@matik.com.br> X-Virus-Scanned: ClamAV 0.80/777/Mon Mar 21 04:41:55 2005 clamav-milter version 0.80j on msrv.matik.com.br X-Virus-Status: Clean X-Spam-Status: No, score=-102.2 required=5.0 tests=ALL_TRUSTED,ISO_7BITS, NO_RDNS2,TW_PF,USER_IN_WHITELIST autolearn=failed version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on msrv.matik.com.br X-Filter-Version: 1.11a (msrv.matik.com.br) cc: "sergei@gnezdov.net" cc: Sergei Gnezdov Subject: Re: DHCP with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Apr 2005 23:25:47 -0000 On Monday 04 April 2005 05:06, Martin wrote: > ON 5+, you also have to open up the MAC layer FW: > ipfw add allow mac via xl0 > Hi where do you guess this from? Shouldn't make any sense if not loading bridge and enabling bridge firewalling first, overall this would matter after dhclient asked for IP > If the DHCP server is slow and did not reply back before the > dhclient did continue the boot process, you maybe you do have > to reload the FW rules once your DHCP connection is established. your dhcpd should not be sooo slow and ignore several retries but, may be you check /etc/rc.d/ipfw and tweak it's sub ipfw_precmd() and add a check for empty or 0.0.0.0 IP address and not loading ipfw then don't know why this is not default then or depending on what you want/need you may tweak /etc/rc.d/dhclient and running ipfw after getting a lease but prevent not rerunning unless your IP address did really changed > > > >When my machine boots firewall is initialized before DHCP obtains > > IP address. This results in incomplete firewall configuration. > > How do I fix this? > > you probably have a problem at you dhcpd or your network connection the timeout is so long you should get the lease always before network is starting anything else > >My /etc/rc.firewall initialized with the following commands: > > > > net=`ifconfig rl0 | grep "inet " | awk '{print $6}'` you're probably not awking the value you want here Hans > > mask="255.255.255.0" > > ip=`ifconfig rl0 | grep "inet " | awk '{print $2}'` -- Infomatik http://info.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 5 01:31:19 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20B9D16A4CE; Tue, 5 Apr 2005 01:31:19 +0000 (GMT) Received: from atex.rinet.ru (atex.rinet.ru [195.91.227.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 206C143D66; Tue, 5 Apr 2005 01:31:18 +0000 (GMT) (envelope-from oleg@atex.rinet.ru) Received: from atex.rinet.ru (localhost [127.0.0.1]) by atex.rinet.ru (8.13.3/8.13.1) with ESMTP id j351VGVg025917; Tue, 5 Apr 2005 05:31:16 +0400 (MSD) (envelope-from oleg@atex.rinet.ru) Received: (from oleg@localhost) by atex.rinet.ru (8.13.3/8.13.1/Submit) id j351VGw0025916; Tue, 5 Apr 2005 05:31:16 +0400 (MSD) (envelope-from oleg) Date: Tue, 5 Apr 2005 05:31:16 +0400 (MSD) Message-Id: <200504050131.j351VGw0025916@atex.rinet.ru> To: FreeBSD-gnats-submit@freebsd.org From: Oleg Bulyzhin X-send-pr-version: 3.113 X-GNATS-Notify: cc: freebsd-ipfw@freebsd.org cc: oleg@rinet.ru Subject: dummynet & ipfw tee: kernel may hang (endless loop) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Oleg Bulyzhin List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 01:31:19 -0000 >Submitter-Id: current-users >Originator: Oleg Bulyzhin >Organization: Cronyx Plus LLC >Confidential: no >Synopsis: dummynet & ipfw tee: kernel may hang (endless loop) >Severity: serious >Priority: high >Category: kern >Class: sw-bug >Release: FreeBSD 5.4-RC1 i386 >Environment: System: FreeBSD atex.rinet.ru 5.4-RC1 FreeBSD 5.4-RC1 #7: Tue Apr 5 02:58:28 MSD 2005 root@atex.rinet.ru:/lh/obj/lh/src/sys/atex i386 any branch with working ipfw tee command >Description: Problem does not appear if you have net.inet.ip.fw.one_pass = 1 If you have net.inet.ip.fw.one_pass=0 packets will be reinjected by dummynet back into ipfw. Any reinjected packet will have args->rule != NULL (ip_fw2.c:1885) and next ipfw rule will be choosed using args->rule. Such behaviour is wrong for packets reinjected into ipfw by tee command. If you try to tee "dummyneted" (i.e. reinjected by dummynet) packet, kernel will hang in endless loop trying to tee same packet again and again. This happens cause next ipfw rule choosen upon args->rule instead of divert_cookie(mtag) (ip_fw2.c:1907) >How-To-Repeat: sysctl net.inet.ip.fw.one_pass=1 kldload dummynet ipfw pipe 1 config ipfw add 1 pipe 1 ip from any to any ipfw add 2 tee 1 ip from any to any ping localhost & sysctl net.inet.ip.fw.one_pass=0 Right after last command kernel will hang. >Fix: Would be fine to have it fixed in 5.4-RELEASE --- sys/netinet/ip_fw2.c~ Sun Apr 3 02:12:12 2005 +++ sys/netinet/ip_fw2.c Sun Apr 3 04:04:25 2005 @@ -1899,6 +1899,7 @@ f = args->rule->next_rule; if (f == NULL) f = lookup_next_rule(args->rule); + args->rule = NULL; } else { /* * Find the starting rule. It can be either the first From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 5 10:05:15 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CEE5116A4CE; Tue, 5 Apr 2005 10:05:15 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE97B43D2F; Tue, 5 Apr 2005 10:05:14 +0000 (GMT) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j35A5CiB024867 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 5 Apr 2005 14:05:13 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.13.1/8.12.8) with ESMTP id j35A5B7a042162 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 5 Apr 2005 14:05:12 +0400 (MSD) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.sick.ru (8.13.1/8.13.1/Submit) id j35A5Br1042161; Tue, 5 Apr 2005 14:05:11 +0400 (MSD) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Tue, 5 Apr 2005 14:05:11 +0400 From: Gleb Smirnoff To: luigi@FreeBSD.org, andre@FreeBSD.org, maxim@FreeBSD.org Message-ID: <20050405100511.GA41910@cell.sick.ru> References: <200504050131.j351VGw0025916@atex.rinet.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200504050131.j351VGw0025916@atex.rinet.ru> User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050125, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean cc: freebsd-ipfw@FreeBSD.org cc: Oleg Bulyzhin cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/79546: dummynet & ipfw tee: kernel may hang (endless loop) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Apr 2005 10:05:16 -0000 Collegues, Can you please look at this PR? I see the suggested fix acceptable for now and for ABI frozen RELENG_5 branch. Speaking of HEAD and future RELENG_6, I'd prefer to move the code that searches for PACKET_TAG_DIVERT up to ip_fw_pfil.c, like we do it for dummynet and ng_ipfw returned packets. What do you think? http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/79546 -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 6 10:34:20 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAB3F16A4CE for ; Wed, 6 Apr 2005 10:34:20 +0000 (GMT) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 772DF43D1F for ; Wed, 6 Apr 2005 10:34:19 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] ([200.152.82.190]) by msrv.matik.com.br (8.13.1/8.12.11) with ESMTP id j36AbY1r084141; Wed, 6 Apr 2005 07:37:35 -0300 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: sergei@gnezdov.net Date: Wed, 6 Apr 2005 07:33:47 -0300 User-Agent: KMail/1.7.2 References: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> <200504042025.18092.asstec@matik.com.br> <200504060212.j362CUJO093071@gnezdov.net> In-Reply-To: <200504060212.j362CUJO093071@gnezdov.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504060733.50938.asstec@matik.com.br> X-Virus-Scanned: ClamAV 0.80/777/Mon Mar 21 04:41:55 2005 clamav-milter version 0.80j on msrv.matik.com.br X-Virus-Status: Clean X-Spam-Status: No, score=-101.2 required=5.0 tests=ALL_TRUSTED,ISO_7BITS, MONOTONE_WORDS_2_15,NO_RDNS2,TW_PF,USER_IN_WHITELIST autolearn=failed version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on msrv.matik.com.br X-Filter-Version: 1.11a (msrv.matik.com.br) cc: freebsd-ipfw@freebsd.org Subject: Re: DHCP with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 10:34:20 -0000 On Tuesday 05 April 2005 23:12, Sergei Gnezdov wrote: > In gmane.os.freebsd.devel.ipfw, you wrote: > > On Monday 04 April 2005 05:06, Martin wrote: > >> If the DHCP server is slow and did not reply back before the > >> dhclient did continue the boot process, you maybe you do have > >> to reload the FW rules once your DHCP connection is established. > > > > your dhcpd should not be sooo slow and ignore several retries > > I don't think dhcp speed matters. I can say for sure that I see > ipfw rules initialization happends before (!) dhcp is initialized. > I can't prove it with dmesg, because it does not capture absolutely > everything, but I can see on the console ipfw rules show up first > and then a dhcp startup message. after boot mounts your partitions the network should be initialized and if you have ifconfig_nic="DHCP" in your rc.conf dhclient should look for a dhcp server first and probably gets an answer. If you didn't daemonized the dhclient process it should stay until timeout or getting the IP address and then run the rest of network setup. So almost for sure dhcp goes first but is not getting an answer within time and you do not noticed it. May be your timeout in dhclient.conf is too low if your network performance is poor. Or you may try increasing your retry value may be you have an intrface problem and the -w option could be useful for you or you consider configuring interface NIC { } in your dhclient.conf BTW what fbsd version are you referring to? > I think startup order is simply incorrect. does not make so much sense starting ipfw before the initial network setup what invokes certainly dhclient first if set ... Hans -- Infomatik http://info.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 6 13:08:33 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F7E516A534 for ; Wed, 6 Apr 2005 13:08:33 +0000 (GMT) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13C7343D53 for ; Wed, 6 Apr 2005 13:08:32 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 84888 invoked from network); 6 Apr 2005 12:36:54 -0000 Received: from unknown (HELO freebsd.org) ([62.48.0.53]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 6 Apr 2005 12:36:54 -0000 Message-ID: <4253DF50.1F8C2D18@freebsd.org> Date: Wed, 06 Apr 2005 15:08:32 +0200 From: Andre Oppermann X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Gleb Smirnoff References: <200504050131.j351VGw0025916@atex.rinet.ru> <20050405100511.GA41910@cell.sick.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: maxim@FreeBSD.org cc: freebsd-ipfw@FreeBSD.org cc: luigi@FreeBSD.org cc: Oleg Bulyzhin cc: FreeBSD-gnats-submit@FreeBSD.org Subject: Re: kern/79546: dummynet & ipfw tee: kernel may hang (endless loop) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 13:08:33 -0000 Gleb Smirnoff wrote: > > Collegues, > > Can you please look at this PR? I see the suggested fix acceptable for now and > for ABI frozen RELENG_5 branch. Yes, the proposed fix fixes the issue at hand. > Speaking of HEAD and future RELENG_6, I'd prefer to move the code that searches > for PACKET_TAG_DIVERT up to ip_fw_pfil.c, like we do it for dummynet and ng_ipfw > returned packets. > > What do you think? This is the way to go. IPFW2 is not yet fully in line with the new way of doing things and so far I haven't managed to get the job finished. -- Andre From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 7 05:23:17 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D128716A4D6 for ; Thu, 7 Apr 2005 05:23:16 +0000 (GMT) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A78D43D45 for ; Thu, 7 Apr 2005 05:23:14 +0000 (GMT) (envelope-from freebsd-ipfw@m.gmane.org) Received: from root by ciao.gmane.org with local (Exim 4.43) id 1DJPRc-0002OY-KT for freebsd-ipfw@freebsd.org; Thu, 07 Apr 2005 07:20:44 +0200 Received: from 63-224-222-139.spkn.qwest.net ([63.224.222.139]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 07 Apr 2005 07:20:44 +0200 Received: from sergei by 63-224-222-139.spkn.qwest.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 07 Apr 2005 07:20:44 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-ipfw@freebsd.org From: Sergei Gnezdov Date: Thu, 7 Apr 2005 04:56:23 +0000 (UTC) Lines: 71 Message-ID: References: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> <200504042025.18092.asstec@matik.com.br> <200504060212.j362CUJO093071@gnezdov.net> <200504060733.50938.asstec@matik.com.br> X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: 63-224-222-139.spkn.qwest.net User-Agent: slrn/0.9.8.1 (FreeBSD) Sender: news Subject: Re: DHCP with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sergei@gnezdov.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2005 05:23:17 -0000 On 2005-04-06, Suporte Matik wrote: > On Tuesday 05 April 2005 23:12, Sergei Gnezdov wrote: > >> In gmane.os.freebsd.devel.ipfw, you wrote: >> > On Monday 04 April 2005 05:06, Martin wrote: >> >> If the DHCP server is slow and did not reply back before the >> >> dhclient did continue the boot process, you maybe you do have >> >> to reload the FW rules once your DHCP connection is established. >> > >> > your dhcpd should not be sooo slow and ignore several retries >> >> I don't think dhcp speed matters. I can say for sure that I see >> ipfw rules initialization happends before (!) dhcp is initialized. >> I can't prove it with dmesg, because it does not capture absolutely >> everything, but I can see on the console ipfw rules show up first >> and then a dhcp startup message. > > after boot mounts your partitions the network should be initialized > and if you have ifconfig_nic="DHCP" in your rc.conf dhclient should > look for a dhcp server first and probably gets an answer. If you > didn't daemonized the dhclient process it should stay until timeout > or getting the IP address and then run the rest of network setup. > > So almost for sure dhcp goes first but is not getting an answer within > time and you do not noticed it. > You are probably right about timeout. I enabled rc.conf debuging and captured the following console output: /etc/rc: DEBUG: run_rc_command: evaluating pccard_start(). /etc/rc: DEBUG: run_rc_command: evaluating network_start(). /etc/rc: DEBUG: Cloned: lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 /etc/rc: DEBUG: The following interfaces were not configured: plip0 /etc/rc.d/ipfilter: DEBUG: checkyesno: ipfilter_enable is set to NO. /etc/rc: DEBUG: checkyesno: isdn_enable is set to NO. /etc/rc: DEBUG: checkyesno: ppp_enable is set to NO. /etc/rc: DEBUG: checkyesno: firewall_enable is set to YES. /etc/rc: DEBUG: run_rc_command: evaluating ipfw_precmd(). ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to d eny, logging disabled /etc/rc: DEBUG: run_rc_command: evaluating ipfw_start(). Executing: /etc/rc Flushed all rules. 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any ipfw: hostname ``to'' unknown ipfw: hostname ``'' unknown [snip...] ipfw: hostname ``'' unknown Firewall rules loaded, starting divert daemons:/etc/rc.d/natd: DEBUG: checkyesno : natd_enable is set to NO. /etc/rc: DEBUG: checkyesno: firewall_logging is set to YES. Firewall logging enabled net.inet.ip.fw.enable: 1 -> 1 /etc/rc: DEBUG: pid file (/var/run/dhclient.pid): not readable. /etc/rc: DEBUG: run_rc_command: evaluating dhclient_prestart(). /etc/rc: DEBUG: checkyesno: background_dhclient is set to NO. Starting dhclient. /etc/rc: DEBUG: run_rc_command: _doit: /sbin/dhclient rl0 /etc/rc: DEBUG: run_rc_command: evaluating dhclient_poststart(). rl0: flags=8843 mtu 1500 options=8 inet6 fe80::250:bfff:fe73:50f3%rl0 prefixlen 64 scopeid 0x1 inet 192.168.2.102 netmask 0xffffff00 broadcast 192.168.2.255 From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 7 09:26:54 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D45AB16A4CE for ; Thu, 7 Apr 2005 09:26:54 +0000 (GMT) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id D046D43D49 for ; Thu, 7 Apr 2005 09:26:53 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] ([200.152.82.190]) by msrv.matik.com.br (8.13.1/8.12.11) with ESMTP id j379ULYF006780; Thu, 7 Apr 2005 06:30:22 -0300 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: freebsd-ipfw@freebsd.org, sergei@gnezdov.net Date: Thu, 7 Apr 2005 06:26:20 -0300 User-Agent: KMail/1.7.2 References: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> <200504060733.50938.asstec@matik.com.br> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504070626.22614.asstec@matik.com.br> X-Virus-Scanned: ClamAV 0.80/777/Mon Mar 21 04:41:55 2005 clamav-milter version 0.80j on msrv.matik.com.br X-Virus-Status: Clean X-Spam-Status: No, score=-101.2 required=5.0 tests=ALL_TRUSTED,ISO_7BITS, MONOTONE_WORDS_2_15,NO_RDNS2,TW_PF,USER_IN_WHITELIST autolearn=failed version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on msrv.matik.com.br X-Filter-Version: 1.11a (msrv.matik.com.br) Subject: Re: DHCP with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2005 09:26:54 -0000 On Thursday 07 April 2005 01:56, Sergei Gnezdov wrote: > > You are probably right about timeout. I enabled rc.conf debuging > and captured the following console output: > > /etc/rc: DEBUG: run_rc_command: evaluating pccard_start(). > /etc/rc: DEBUG: run_rc_command: evaluating network_start(). -- you probably could have told your little secrets right away to get help on first shot you may try something like this in your dhclient.conf in order to get around your problem but set it to your WL settings, you can set several lines "ssid ..." if connecting to different APs interface "wi0" { media "ssid WIP-LUC nwkey 0x0101010111"; } Hans Infomatik http://info.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 8 00:06:16 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1803C16A4CE for ; Fri, 8 Apr 2005 00:06:16 +0000 (GMT) Received: from gnezdov.net (63-224-222-139.spkn.qwest.net [63.224.222.139]) by mx1.FreeBSD.org (Postfix) with ESMTP id 631F943D48 for ; Fri, 8 Apr 2005 00:06:15 +0000 (GMT) (envelope-from sergei@gnezdov.net) Received: from gnezdov.net (localhost.birds [127.0.0.1]) by gnezdov.net (8.13.1/8.12.11) with ESMTP id j3807aNW032809; Thu, 7 Apr 2005 17:07:37 -0700 (PDT) (envelope-from sergei@gnezdov.net) Received: (from sergei@localhost) by gnezdov.net (8.13.1/8.12.11/Submit) id j3807ZHa032808; Thu, 7 Apr 2005 17:07:35 -0700 (PDT) (envelope-from sergei) Date: Thu, 7 Apr 2005 17:07:35 -0700 From: Sergei Gnezdov To: Suporte Matik Message-ID: <20050408000735.GA26582@gnezdov.net> References: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> <200504060733.50938.asstec@matik.com.br> <200504070626.22614.asstec@matik.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200504070626.22614.asstec@matik.com.br> User-Agent: Mutt/1.4.2.1i cc: freebsd-ipfw@freebsd.org Subject: Re: DHCP with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2005 00:06:16 -0000 On Thu, Apr 07, 2005 at 06:26:20AM -0300, Suporte Matik wrote: > On Thursday 07 April 2005 01:56, Sergei Gnezdov wrote: > > > > > You are probably right about timeout. I enabled rc.conf debuging > > and captured the following console output: > > > > /etc/rc: DEBUG: run_rc_command: evaluating pccard_start(). > > /etc/rc: DEBUG: run_rc_command: evaluating network_start(). > -- > > you probably could have told your little secrets right away to get > help on first shot > > you may try something like this in your dhclient.conf in order to get > around your problem but set it to your WL settings, you can set > several lines "ssid ..." if connecting to different APs > > interface "wi0" { > media > "ssid WIP-LUC nwkey 0x0101010111"; > } Uhh, I have no clue what your are talking about. I don't have wi0 interface. I mean I don't see it, if I run ifconfig. This is not a laptop either. This machine does have wireless network card, but FreeBSD does not support it at the moment. I simply use standard network card (tx0 interface). From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 8 08:08:13 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47A8816A4CE for ; Fri, 8 Apr 2005 08:08:13 +0000 (GMT) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3824843D1F for ; Fri, 8 Apr 2005 08:08:12 +0000 (GMT) (envelope-from asstec@matik.com.br) Received: from [200.152.82.190] ([200.152.82.190]) by msrv.matik.com.br (8.13.1/8.12.11) with ESMTP id j388Bpc4029470 for ; Fri, 8 Apr 2005 05:11:52 -0300 (BRST) (envelope-from asstec@matik.com.br) From: Suporte Matik To: freebsd-ipfw@freebsd.org Date: Fri, 8 Apr 2005 05:07:48 -0300 User-Agent: KMail/1.7.2 References: <20050404090719.F2268544E1F@mail2-new.vianetworks.nl> <200504070626.22614.asstec@matik.com.br> <20050408000735.GA26582@gnezdov.net> In-Reply-To: <20050408000735.GA26582@gnezdov.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200504080507.58504.asstec@matik.com.br> X-Virus-Scanned: ClamAV 0.80/777/Mon Mar 21 04:41:55 2005 clamav-milter version 0.80j on msrv.matik.com.br X-Virus-Status: Clean X-Spam-Status: No, score=-102.2 required=5.0 tests=ALL_TRUSTED,ISO_7BITS, NO_RDNS2,TW_PF,USER_IN_WHITELIST autolearn=failed version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on msrv.matik.com.br X-Filter-Version: 1.11a (msrv.matik.com.br) Subject: Re: DHCP with ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2005 08:08:13 -0000 On Thursday 07 April 2005 21:07, Sergei Gnezdov wrote: > > Uhh, I have no clue what your are talking about. I don't have wi0 > interface. I mean I don't see it, if I run ifconfig. > well well, I saw pccardstart and didn't read further > This is not a laptop either. This machine does have wireless > network card, but FreeBSD does not support it at the moment. I > simply use standard network card (tx0 interface). but your log seems to shows trying to get the lease for rl0 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" -- Infomatik http://info.matik.com.br