From owner-freebsd-ipfw@FreeBSD.ORG Sun Feb 19 19:46:03 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E9B216A420; Sun, 19 Feb 2006 19:46:03 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F9BB43D45; Sun, 19 Feb 2006 19:46:03 +0000 (GMT) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1JJk3JM020878; Sun, 19 Feb 2006 19:46:03 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1JJk3We020874; Sun, 19 Feb 2006 19:46:03 GMT (envelope-from linimon) Date: Sun, 19 Feb 2006 19:46:03 GMT From: Mark Linimon Message-Id: <200602191946.k1JJk3We020874@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: kern/93422: ipfw divert rule no longer works in 6.0 (regression) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Feb 2006 19:46:03 -0000 Old Synopsis: ipfw divert rule New Synopsis: ipfw divert rule no longer works in 6.0 (regression) Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Sun Feb 19 19:45:39 UTC 2006 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=93422 From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 20 03:00:30 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 311A916A4CC for ; Mon, 20 Feb 2006 03:00:30 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2A4943D46 for ; Mon, 20 Feb 2006 03:00:29 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1K30Tc9050864 for ; Mon, 20 Feb 2006 03:00:29 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1K30TZr050863; Mon, 20 Feb 2006 03:00:29 GMT (envelope-from gnats) Date: Mon, 20 Feb 2006 03:00:29 GMT Message-Id: <200602200300.k1K30TZr050863@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Hajimu UMEMOTO Cc: Subject: kern/93422: Re: ipfw divert rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Hajimu UMEMOTO List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2006 03:00:30 -0000 The following reply was made to PR kern/93422; it has been noted by GNATS. From: Hajimu UMEMOTO To: Jo?o Cc: freebsd-gnats-submit@FreeBSD.org, Hajimu UMEMOTO Subject: kern/93422: Re: ipfw divert rule Date: Mon, 20 Feb 2006 11:55:50 +0900 Hi, >>>>> On Thu, 16 Feb 2006 10:48:01 GMT >>>>> Jo?o said: joao> I guess the following rules should be basicly the same and should work and work on 5.4-R but the former ones do not work on releng_6, the count stays 0 joao> ipfw add 1000 divert 8669 proto ip joao> 01000 divert 8669 ip from any to any proto ip The ipfw supports an IPv6 on 6.x and later. It broke a syntax for a tunnel. So, this was changed to mean an IPv4 over IPv4 tunnel on 6.1-PRERELEASE and later. http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/ipfw2.c.diff?r1=1.79&r2=1.80 Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 20 11:02:34 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B375216A435 for ; Mon, 20 Feb 2006 11:02:34 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C92D43D46 for ; Mon, 20 Feb 2006 11:02:34 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k1KB2Xhe083574 for ; Mon, 20 Feb 2006 11:02:33 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k1KB2WKB083568 for freebsd-ipfw@freebsd.org; Mon, 20 Feb 2006 11:02:32 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 20 Feb 2006 11:02:32 GMT Message-Id: <200602201102.k1KB2WKB083568@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2006 11:02:34 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/03/03] kern/63724 ipfw [ipfw] IPFW2 Queues dont t work o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2005/11/08] kern/88664 ipfw [ipfw] ipfw stateful firewalling broken w o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets 10 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/03] bin/91245 ipfw [patch] ipfw(8) sometimes treat ipv6 inpu o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( 19 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 20 11:45:48 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FBA316A420; Mon, 20 Feb 2006 11:45:48 +0000 (GMT) (envelope-from joao@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id A92E143D46; Mon, 20 Feb 2006 11:45:47 +0000 (GMT) (envelope-from joao@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k1KBjjLq036277; Mon, 20 Feb 2006 08:45:45 -0300 (BRT) (envelope-from joao@matik.com.br) From: JoaoBR To: Hajimu UMEMOTO Date: Mon, 20 Feb 2006 08:45:40 -0300 User-Agent: KMail/1.9.1 References: <200602200300.k1K30TZr050863@freefall.freebsd.org> In-Reply-To: <200602200300.k1K30TZr050863@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200602200845.40948.joao@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on msrv.matik.com.br X-Virus-Status: Clean Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/93422: Re: ipfw divert rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2006 11:45:48 -0000 On Monday 20 February 2006 00:00, Hajimu UMEMOTO wrote: > > joao> ipfw add 1000 divert 8669 proto ip > joao> 01000 divert 8669 ip from any to any proto ip > > The ipfw supports an IPv6 on 6.x and later. It broke a syntax for a > tunnel. So, this was changed to mean an IPv4 over IPv4 tunnel on > 6.1-PRERELEASE and later. > >=20 > http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/ipfw2.c.diff?r1=3D1.7= 9&r2 >=3D1.80 > Hi I am not sure if I understand what you mean but the patch you pointed out = is=20 not for releng_6 and the date is quiet old but it is not clear for me what ip6/ip4 tunneling has to do with diverting Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 20 15:08:18 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8021B16A420 for ; Mon, 20 Feb 2006 15:08:18 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from ameno.mahoroba.org (gw4.mahoroba.org [218.45.22.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EF7C43D45 for ; Mon, 20 Feb 2006 15:08:14 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from kasuga.mahoroba.org (IDENT:hOYn9UnL8FEFpO4FQy3Ogkc+C6kxzd00jbFz3auCUAHZUvr7aZ6hLu+6rWYgnGuB@kasuga-iwi.mahoroba.org [IPv6:3ffe:501:185b:8010:212:f0ff:fe52:6ac]) (user=ume mech=CRAM-MD5 bits=0) by ameno.mahoroba.org (8.13.4/8.13.4) with ESMTP/inet6 id k1KF88w5014381 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Feb 2006 00:08:09 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Tue, 21 Feb 2006 00:08:08 +0900 Message-ID: From: Hajimu UMEMOTO To: JoaoBR In-Reply-To: <200602200845.40948.joao@matik.com.br> References: <200602200300.k1K30TZr050863@freefall.freebsd.org> <200602200845.40948.joao@matik.com.br> User-Agent: xcite1.38> Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/22.0.50 (i386-unknown-freebsd6.1) MULE/5.0 (SAKAKI) X-Operating-System: FreeBSD 6.1-PRERELEASE X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.1.3 (ameno.mahoroba.org [IPv6:3ffe:501:185b:8010::1]); Tue, 21 Feb 2006 00:08:09 +0900 (JST) X-Virus-Scanned: by amavisd-new X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ameno.mahoroba.org Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/93422: Re: ipfw divert rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2006 15:08:18 -0000 Hi, >>>>> On Mon, 20 Feb 2006 08:45:40 -0300 >>>>> JoaoBR said: joao> I am not sure if I understand what you mean but the patch you pointed out is joao> not for releng_6 and the date is quiet old joao> but it is not clear for me what ip6/ip4 tunneling has to do with diverting It was MFC'ed into RELENG_6: http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/ipfw2.c.diff?r1=1.76.2.1&r2=1.76.2.2 The change is in meaning of `proto'. So, it is not only for `divert'. Please refer the commit log of above change. Please note that kern/89472 was also regression. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Mon Feb 20 20:21:58 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E5FB16A420; Mon, 20 Feb 2006 20:21:58 +0000 (GMT) (envelope-from joao@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id F077943D49; Mon, 20 Feb 2006 20:21:57 +0000 (GMT) (envelope-from joao@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k1KKLt2v060188; Mon, 20 Feb 2006 17:21:55 -0300 (BRT) (envelope-from joao@matik.com.br) From: JoaoBR To: Hajimu UMEMOTO Date: Mon, 20 Feb 2006 17:21:50 -0300 User-Agent: KMail/1.9.1 References: <200602200300.k1K30TZr050863@freefall.freebsd.org> <200602200845.40948.joao@matik.com.br> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200602201721.50781.joao@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on msrv.matik.com.br X-Virus-Status: Clean Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/93422: Re: ipfw divert rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Feb 2006 20:21:58 -0000 On Monday 20 February 2006 12:08, Hajimu UMEMOTO wrote: > It was MFC'ed into RELENG_6: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/ipfw2.c.diff?r1=3D1.7= 6.2. >1&r2=3D1.76.2.2 > > The change is in meaning of `proto'. So, it is not only for `divert'. good, I see same reason why "... pipe proto ip in|out" does not pipe any more, right? thank's for clarification but is this to be fixed or will this stay at it i= s? Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 05:50:50 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EAEE16A420; Tue, 21 Feb 2006 05:50:50 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from ameno.mahoroba.org (gw4.mahoroba.org [218.45.22.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F64843D4C; Tue, 21 Feb 2006 05:50:48 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:beYg7nVtnHQZsziy1ySnGQfylPj3cOWsbv69796Ix5dgbmhW+LBP8aLKtdMvhVdo@localhost [IPv6:::1]) (user=ume mech=CRAM-MD5 bits=0) by ameno.mahoroba.org (8.13.4/8.13.4) with ESMTP/inet6 id k1L5ogXa053909 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 21 Feb 2006 14:50:43 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Tue, 21 Feb 2006 14:50:42 +0900 Message-ID: From: Hajimu UMEMOTO To: JoaoBR In-Reply-To: <200602201721.50781.joao@matik.com.br> References: <200602200300.k1K30TZr050863@freefall.freebsd.org> <200602200845.40948.joao@matik.com.br> <200602201721.50781.joao@matik.com.br> User-Agent: xcite1.38> Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/22.0.50 (i386-unknown-freebsd5.5) MULE/5.0 (SAKAKI) X-Operating-System: FreeBSD 5.5-PRERELEASE X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.1.3 (ameno.mahoroba.org [IPv6:::1]); Tue, 21 Feb 2006 14:50:43 +0900 (JST) X-Virus-Scanned: by amavisd-new X-Virus-Status: Clean X-Spam-Status: No, score=-3.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ameno.mahoroba.org Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/93422: Re: ipfw divert rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 05:50:50 -0000 Hi, >>>>> On Mon, 20 Feb 2006 17:21:50 -0300 >>>>> JoaoBR said: joao> On Monday 20 February 2006 12:08, Hajimu UMEMOTO wrote: > It was MFC'ed into RELENG_6: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/ipfw2.c.diff?r1=1.76.2. >1&r2=1.76.2.2 > > The change is in meaning of `proto'. So, it is not only for `divert'. joao> good, I see joao> same reason why "... pipe proto ip in|out" does not pipe any more, right? Yes. joao> thank's for clarification but is this to be fixed or will this stay at it is? Yup, current behavior will stay as it is. kern/89472 and this PR are both regression, and there is no good solution to fix both. So, current behavior is trade off to co-exist them. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 14:12:03 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35BC016A420 for ; Tue, 21 Feb 2006 14:12:03 +0000 (GMT) (envelope-from donaldbaud@yahoo.com) Received: from web37406.mail.mud.yahoo.com (web37406.mail.mud.yahoo.com [209.191.87.59]) by mx1.FreeBSD.org (Postfix) with SMTP id 7A4FD43D49 for ; Tue, 21 Feb 2006 14:12:02 +0000 (GMT) (envelope-from donaldbaud@yahoo.com) Received: (qmail 44392 invoked by uid 60001); 21 Feb 2006 14:12:01 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=G7UNdcKVyAkF8wc+2/1dBfWpJg1SiHgKB76A3V+f5aDzfZnuDkZ3P6JLjOhHMPVXPdHR1u0TOgB+rpRF3lzctBHJ3q4fd6X+wlIr8zDI8Cu7OluFlv4ymWaeRRUuwpJz/b9/REwOemBU8UjX6mSDQVg6WnYFN3wLEXiGvK1Jm6k= ; Message-ID: <20060221141201.44390.qmail@web37406.mail.mud.yahoo.com> Received: from [216.239.92.172] by web37406.mail.mud.yahoo.com via HTTP; Tue, 21 Feb 2006 06:12:01 PST Date: Tue, 21 Feb 2006 06:12:01 -0800 (PST) From: Donald Baud To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Patch to add burst to dummynet ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 14:12:03 -0000 Looking back in the mailing archives http://docs.freebsd.org/cgi/getmsg.cgi?fetch=62536+0+archive/2003/freebsd-ipfw/20030907.freebsd-ipfw , I found a message saying that it would be trivial to add burst support in dummynet. In that message, it says to change in ip_dummynet.c : - if (len_scaled > q->numbytes ) + if (len_scaled > q->numbytes + q->burst_size) I did that, even tried len_scaled = 0 But I don't see any difference after recompiling, kldunload/kldload dummynet. I still get the same throughput with wget --progress=dot some_file --------------------------------- Relax. Yahoo! Mail virus scanning helps detect nasty viruses! From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 14:13:45 2006 Return-Path: X-Original-To: freebsd-ipfw@FreeBSD.ORG Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53B7E16A420 for ; Tue, 21 Feb 2006 14:13:45 +0000 (GMT) (envelope-from listas@itm.net.br) Received: from venom.itm.net.br (venom.itm.net.br [201.30.187.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FBA043D60 for ; Tue, 21 Feb 2006 14:13:39 +0000 (GMT) (envelope-from listas@itm.net.br) Received: (qmail 76875 invoked by uid 89); 21 Feb 2006 14:13:27 -0000 Received: by simscan 1.1.0 ppid: 76870, pid: 76871, t: 0.2509s scanners: attach: 1.1.0 clamav: 0.88/m:35/d:1281 spam: 3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on venom.itm.net.br X-Spam-Level: X-Spam-Status: No, score=-4.4 required=10.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.1.0 Received: from ironman.fsonline.com.br (HELO ironman) (201.30.187.70) by venom.itm.net.br with SMTP; 21 Feb 2006 14:13:27 -0000 Message-ID: <000a01c636f0$d3303280$0e4fdfc8@ironman> From: "Cesar" To: Date: Tue, 21 Feb 2006 11:12:15 -0300 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 X-Antivirus: avast! (VPS 0608-0, 20/02/2006), Outbound message X-Antivirus-Status: Clean Cc: Subject: ipfw2 with mac filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 14:13:45 -0000 Hi, I wanted to finish my firewall rules doing a "deny all from any to any", but I can't do that with mac filtering at same time. Let me explain. Since I use ipfw mac filter, I have the sysctl variable "net.link.ether.ipfw: 1"; My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2. An example of my rules: 00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any 00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any 65535 0 0 allow ip from any to any This works fine, the rules 1 and 2 get some match when I do ping from Windows box to FreeBSD. After this test, I added the rule "65534 0 0 deny ip from any to any". It still works, but after some time if I have no traffic from 10.0.0.2, FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", I get : ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet] So, I can't ping my FreeBSD box anymore because it doesnt accept my arp packets. I tried to log the deny rule and I get some lines telling "Deny mac in". I tried to add another rule before the deny all "ipfw add 100 allow mac any any", but this rule become "allow ip from any to any MAC any any", so I cant end my firewall rules with a "deny all from any to any". Is this a problem? Are there any workaround for this? I didnt tried to use a fixed arp table, but I will dont do that if not necessary. Thanks Cesar From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 14:25:00 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D2EDD16A420 for ; Tue, 21 Feb 2006 14:25:00 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 6420B43D55 for ; Tue, 21 Feb 2006 14:24:58 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 70494 invoked by uid 0); 21 Feb 2006 11:25:00 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(201.17.164.146):. Processed in 0.776314 secs); 21 Feb 2006 14:25:00 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.164.146) by capeta.freebsdbrasil.com.br with SMTP; 21 Feb 2006 11:24:59 -0300 Message-ID: <43FB22B5.4030407@freebsdbrasil.com.br> Date: Tue, 21 Feb 2006 11:24:53 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Cesar References: <000a01c636f0$d3303280$0e4fdfc8@ironman> In-Reply-To: <000a01c636f0$d3303280$0e4fdfc8@ironman> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: ipfw@freebsd.org Subject: Re: ipfw2 with mac filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 14:25:01 -0000 Cesar wrote: > Hi, > > I wanted to finish my firewall rules doing a "deny all from any to > any", but I can't do that with mac filtering at same time. Let me explain. > > Since I use ipfw mac filter, I have the sysctl variable > "net.link.ether.ipfw: 1"; > > My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2. > > An example of my rules: > > 00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any > 00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any > 65535 0 0 allow ip from any to any > > This works fine, the rules 1 and 2 get some match when I do ping from > Windows box to FreeBSD. > After this test, I added the rule "65534 0 0 deny ip from any to any". > It still works, but after some time if I have no traffic from 10.0.0.2, > FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", > I get : > > ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet] > > So, I can't ping my FreeBSD box anymore because it doesnt accept my arp > packets. I tried to log the deny rule and I get some lines telling "Deny > mac in". > I tried to add another rule before the deny all "ipfw add 100 allow mac > any any", but this rule become "allow ip from any to any MAC any any", > so I cant end my firewall rules with a "deny all from any to any". > > Is this a problem? Are there any workaround for this? > I didnt tried to use a fixed arp table, but I will dont do that if not > necessary. > > Thanks > > Cesar I had a similar problem before when I forgot to permit arp traffic on layer2, so, I guess "mac-type arp" is not allowed to pass throught your firewall. You may consider "allow mac-type arp layer2" in your firewall somewhere or denying everything on L3 only, say "deny log all from any to any not layer2" -- Patrick Tracanelli FreeBSD Brasil LTDA. (31) 3281-9633 / 3281-3547 316601@sip.freebsdbrasil.com.br http://www.freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!" From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 14:35:33 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3F7F16A420 for ; Tue, 21 Feb 2006 14:35:33 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8157E43D45 for ; Tue, 21 Feb 2006 14:35:33 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k1LEZXr4063351; Tue, 21 Feb 2006 06:35:33 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k1LEZXpe063350; Tue, 21 Feb 2006 06:35:33 -0800 (PST) (envelope-from rizzo) Date: Tue, 21 Feb 2006 06:35:33 -0800 From: Luigi Rizzo To: Donald Baud Message-ID: <20060221063533.A63214@xorpc.icir.org> References: <20060221141201.44390.qmail@web37406.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20060221141201.44390.qmail@web37406.mail.mud.yahoo.com>; from donaldbaud@yahoo.com on Tue, Feb 21, 2006 at 06:12:01AM -0800 Cc: freebsd-ipfw@freebsd.org Subject: Re: Patch to add burst to dummynet ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 14:35:33 -0000 On Tue, Feb 21, 2006 at 06:12:01AM -0800, Donald Baud wrote: > Looking back in the mailing archives http://docs.freebsd.org/cgi/getmsg.cgi?fetch=62536+0+archive/2003/freebsd-ipfw/20030907.freebsd-ipfw , I found a message saying that it would be trivial to add burst support in dummynet. > In that message, it says to change in ip_dummynet.c : > > - if (len_scaled > q->numbytes ) > + if (len_scaled > q->numbytes + q->burst_size) > > I did that, even tried len_scaled = 0 > But I don't see any difference after recompiling, kldunload/kldload dummynet. > > I still get the same throughput with wget --progress=dot some_file of course you get the same throughput! the burst is just a constant in the time it takes to transfer data, and it is independent of the data size. irrespective of the file size you'll just finish (burst_size/bandwidth) seconds earlier. cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 14:57:13 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E7EFF16A420 for ; Tue, 21 Feb 2006 14:57:13 +0000 (GMT) (envelope-from donaldbaud@yahoo.com) Received: from web37406.mail.mud.yahoo.com (web37406.mail.mud.yahoo.com [209.191.87.59]) by mx1.FreeBSD.org (Postfix) with SMTP id 4EF5A43D48 for ; Tue, 21 Feb 2006 14:57:11 +0000 (GMT) (envelope-from donaldbaud@yahoo.com) Received: (qmail 66865 invoked by uid 60001); 21 Feb 2006 14:57:10 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=umU+ShAkeRaQ/8oH+WgtATCnuqAeutZekVa+eYI+ch7q9yBqsJxQqsU4ii30GxpTg3Rh9l403U7GTQIfb5hf7pORbCbskqGU9Cwa/ZKLzwpZs8nQukhmtb4WCM0qlvKFo1+wP110MhF74a1jZzduk86kgahkTzgbhSq/XTNy9h4= ; Message-ID: <20060221145710.66863.qmail@web37406.mail.mud.yahoo.com> Received: from [216.239.92.172] by web37406.mail.mud.yahoo.com via HTTP; Tue, 21 Feb 2006 06:57:10 PST Date: Tue, 21 Feb 2006 06:57:10 -0800 (PST) From: Donald Baud To: Luigi Rizzo In-Reply-To: <20060221063533.A63214@xorpc.icir.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Patch to add burst to dummynet ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 14:57:14 -0000 --- Luigi Rizzo wrote: > On Tue, Feb 21, 2006 at 06:12:01AM -0800, Donald > Baud wrote: > > Looking back in the mailing archives > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=62536+0+archive/2003/freebsd-ipfw/20030907.freebsd-ipfw > , I found a message saying that it would be trivial > to add burst support in dummynet. > > In that message, it says to change in > ip_dummynet.c : > > > > - if (len_scaled > q->numbytes ) > > + if (len_scaled > q->numbytes + > q->burst_size) > > > > I did that, even tried len_scaled = 0 > > But I don't see any difference after recompiling, > kldunload/kldload dummynet. > > > > I still get the same throughput with wget > --progress=dot some_file > > of course you get the same throughput! > the burst is just a constant in the time it takes to > transfer data, > and it is independent of the data size. irrespective > of the file > size you'll just finish (burst_size/bandwidth) > seconds earlier. > > cheers > luigi I ran two tests with the following ipfw rules: ipfw pipe 10 config bw 10kbit/s ipfw add 5 pipe 10 ip from 10.0.0.1 to me == with: if (len_scaled > q->numbytes) == wget --progress=dot some_file 0K .......... .......... 0% 1.13 KB/s 50K .......... .......... 1% 1.14 KB/s 100K .......... .......... 2% 1.14 KB/s 150K .......... .......... 3% 1.14 KB/s == with: if (len_scaled > q->numbytes + 100000 ) wget --progress=dot some_file 0K .......... .......... 0% 1.13 KB/s 50K .......... .......... 1% 1.14 KB/s 100K .......... .......... 2% 1.14 KB/s 150K .......... .......... 3% 1.14 KB/s __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 15:41:38 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C700D16A422 for ; Tue, 21 Feb 2006 15:41:38 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id A268E43D75 for ; Tue, 21 Feb 2006 15:41:34 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k1LFfYjZ064009; Tue, 21 Feb 2006 07:41:34 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k1LFfYia064008; Tue, 21 Feb 2006 07:41:34 -0800 (PST) (envelope-from rizzo) Date: Tue, 21 Feb 2006 07:41:34 -0800 From: Luigi Rizzo To: Donald Baud Message-ID: <20060221074134.B63818@xorpc.icir.org> References: <20060221063533.A63214@xorpc.icir.org> <20060221145710.66863.qmail@web37406.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20060221145710.66863.qmail@web37406.mail.mud.yahoo.com>; from donaldbaud@yahoo.com on Tue, Feb 21, 2006 at 06:57:10AM -0800 Cc: freebsd-ipfw@freebsd.org Subject: Re: Patch to add burst to dummynet ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 15:41:38 -0000 On Tue, Feb 21, 2006 at 06:57:10AM -0800, Donald Baud wrote: > > > --- Luigi Rizzo wrote: ... > > of course you get the same throughput! > > the burst is just a constant in the time it takes to > > transfer data, > > and it is independent of the data size. irrespective > > of the file > > size you'll just finish (burst_size/bandwidth) > > seconds earlier. > > > > cheers > > luigi > > I ran two tests with the following ipfw rules: > ipfw pipe 10 config bw 10kbit/s > ipfw add 5 pipe 10 ip from 10.0.0.1 to me and so ? as i said, the throughtput is the same, you just see things happening a little bit (very little, usually) earlier, and your experiment has no notion of time, and furthermore there are so many factors influencing the throughput and the numbers printed by wget that it's hard to tell how can you see the difference. assuming, of course, that the patch i suggested works, which i think but cannot guarantee. cheers luigi > == with: if (len_scaled > q->numbytes) == > wget --progress=dot some_file > 0K .......... .......... 0% 1.13 KB/s > 50K .......... .......... 1% 1.14 KB/s > 100K .......... .......... 2% 1.14 KB/s > 150K .......... .......... 3% 1.14 KB/s > > == with: if (len_scaled > q->numbytes + 100000 ) > wget --progress=dot some_file > 0K .......... .......... 0% 1.13 KB/s > 50K .......... .......... 1% 1.14 KB/s > 100K .......... .......... 2% 1.14 KB/s > 150K .......... .......... 3% 1.14 KB/s > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 16:15:41 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1A9C16A422 for ; Tue, 21 Feb 2006 16:15:40 +0000 (GMT) (envelope-from donaldbaud@yahoo.com) Received: from web37405.mail.mud.yahoo.com (web37405.mail.mud.yahoo.com [209.191.87.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 73BC743D55 for ; Tue, 21 Feb 2006 16:15:38 +0000 (GMT) (envelope-from donaldbaud@yahoo.com) Received: (qmail 91176 invoked by uid 60001); 21 Feb 2006 16:15:37 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=d0LJc5Lurz+ph59U7ovb5+bWF42Nmp/rhmm32cLODULGr0oMPqvDcJp1ZJjAwTkfgXL4oQy1EXNz9iZgmKiyOe8LZ9ZDoQu9HDOnKUOLJlNTm4MMwLe0by07UKKgDIK63OaATCkJVHnejcGcEq+3ufRQD+Q4ktB30kygmlRGA88= ; Message-ID: <20060221161537.91174.qmail@web37405.mail.mud.yahoo.com> Received: from [216.239.92.172] by web37405.mail.mud.yahoo.com via HTTP; Tue, 21 Feb 2006 08:15:37 PST Date: Tue, 21 Feb 2006 08:15:37 -0800 (PST) From: Donald Baud To: Luigi Rizzo In-Reply-To: <20060221074134.B63818@xorpc.icir.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Patch to add burst to dummynet ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 16:15:41 -0000 > On Tue, Feb 21, 2006 at 06:57:10AM -0800, Donald > Baud wrote: > > > > > > --- Luigi Rizzo wrote: > ... > > > of course you get the same throughput! > > > the burst is just a constant in the time it > takes to > > > transfer data, > > > and it is independent of the data size. > irrespective > > > of the file > > > size you'll just finish (burst_size/bandwidth) > > > seconds earlier. > > > > > > cheers > > > luigi > > > > I ran two tests with the following ipfw rules: > > ipfw pipe 10 config bw 10kbit/s > > ipfw add 5 pipe 10 ip from 10.0.0.1 to me > > == with: if (len_scaled > q->numbytes) == > > wget --progress=dot some_file > > 0K .......... .......... 0% 1.13 KB/s > > 50K .......... .......... 1% 1.14 KB/s > > 100K .......... .......... 2% 1.14 KB/s > > 150K .......... .......... 3% 1.14 KB/s > > > > == with: if (len_scaled > q->numbytes + 100000 ) > > wget --progress=dot some_file > > 0K .......... .......... 0% 1.13 KB/s > > 50K .......... .......... 1% 1.14 KB/s > > 100K .......... .......... 2% 1.14 KB/s > > 150K .......... .......... 3% 1.14 KB/s > > and so ? as i said, the throughtput is the same, you > just see things happening a little bit (very little, > usually) earlier, > and your experiment has no notion of time, and > furthermore there are so many factors influencing > the throughput and the numbers printed by wget > that it's hard to tell how can you see the > difference. > > assuming, of course, that the patch i suggested > works, which i > think but cannot guarantee. > > cheers > luigi > Are you saying that wget bandwidth reading is incorrect? I expected to see full speed of the pipe for the first 100KBytes. I even commented out: /* if (len_scaled > q->numbytes) break ; */ While I would have expected full throughput, I got only ~10X the speed of the pipe: 0K .......... .......... 0% 8.30 KB/s 50K .......... .......... 1% 20.70 KB/s 100K .......... .......... 2% 13.80 KB/s 150K .......... .......... 3% 13.80 KB/s __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 16:25:30 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE7F316A420 for ; Tue, 21 Feb 2006 16:25:29 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id A455543D45 for ; Tue, 21 Feb 2006 16:25:29 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k1LGPTT5065788; Tue, 21 Feb 2006 08:25:29 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k1LGPTWo065787; Tue, 21 Feb 2006 08:25:29 -0800 (PST) (envelope-from rizzo) Date: Tue, 21 Feb 2006 08:25:29 -0800 From: Luigi Rizzo To: Donald Baud Message-ID: <20060221082529.B64136@xorpc.icir.org> References: <20060221074134.B63818@xorpc.icir.org> <20060221161537.91174.qmail@web37405.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20060221161537.91174.qmail@web37405.mail.mud.yahoo.com>; from donaldbaud@yahoo.com on Tue, Feb 21, 2006 at 08:15:37AM -0800 Cc: freebsd-ipfw@freebsd.org Subject: Re: Patch to add burst to dummynet ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 16:25:30 -0000 On Tue, Feb 21, 2006 at 08:15:37AM -0800, Donald Baud wrote: > > On Tue, Feb 21, 2006 at 06:57:10AM -0800, Donald > > Baud wrote: > > > > > > > > > --- Luigi Rizzo wrote: > > ... > > > > of course you get the same throughput! > > > > the burst is just a constant in the time it > > takes to > > > > transfer data, > > > > and it is independent of the data size. > > irrespective > > > > of the file > > > > size you'll just finish (burst_size/bandwidth) > > > > seconds earlier. > > > > > > > > cheers > > > > luigi > > > > > > I ran two tests with the following ipfw rules: > > > ipfw pipe 10 config bw 10kbit/s > > > ipfw add 5 pipe 10 ip from 10.0.0.1 to me > > > == with: if (len_scaled > q->numbytes) == > > > wget --progress=dot some_file > > > 0K .......... .......... 0% 1.13 KB/s > > > 50K .......... .......... 1% 1.14 KB/s > > > 100K .......... .......... 2% 1.14 KB/s > > > 150K .......... .......... 3% 1.14 KB/s > > > > > > == with: if (len_scaled > q->numbytes + 100000 ) > > > wget --progress=dot some_file > > > 0K .......... .......... 0% 1.13 KB/s > > > 50K .......... .......... 1% 1.14 KB/s > > > 100K .......... .......... 2% 1.14 KB/s > > > 150K .......... .......... 3% 1.14 KB/s > > > > > and so ? as i said, the throughtput is the same, you > > just see things happening a little bit (very little, > > usually) earlier, > > and your experiment has no notion of time, and > > furthermore there are so many factors influencing > > the throughput and the numbers printed by wget > > that it's hard to tell how can you see the > > difference. > > > > assuming, of course, that the patch i suggested > > works, which i > > think but cannot guarantee. > > > > cheers > > luigi > > > > Are you saying that wget bandwidth reading is > incorrect? I expected to see full speed of the pipe > for the first 100KBytes. if you see just one line above your patch, len_scaled is computed as int len_scaled = p->bandwidth ? len*8*hz : 0 ; so your '100000' correspond (with HZ=1000) to an actual burst of 100 bits or 12.5 bytes so hardly measurable. secondly, as i said the throughput is limited by many many factors even without dummynet (or just because you have traffic going through other pipes, etc.). finally, i don't know how wget computes times so it may be correct or not, i have no idea. since many programs do wrong things in computing bandwidths i wouldn't give for granted that wget is correct in all situations. bye luigi > I even commented out: > /* > if (len_scaled > q->numbytes) > break ; > */ > While I would have expected full throughput, I got > only ~10X the speed of the pipe: > > 0K .......... .......... 0% 8.30 KB/s > 50K .......... .......... 1% 20.70 KB/s > 100K .......... .......... 2% 13.80 KB/s > 150K .......... .......... 3% 13.80 KB/s > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 16:37:38 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A716616A420 for ; Tue, 21 Feb 2006 16:37:38 +0000 (GMT) (envelope-from donaldbaud@yahoo.com) Received: from web37411.mail.mud.yahoo.com (web37411.mail.mud.yahoo.com [209.191.87.64]) by mx1.FreeBSD.org (Postfix) with SMTP id 479C443D45 for ; Tue, 21 Feb 2006 16:37:38 +0000 (GMT) (envelope-from donaldbaud@yahoo.com) Received: (qmail 31552 invoked by uid 60001); 21 Feb 2006 16:37:37 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=wsOZOAWLk2dpPS9zMiFoNhz7bdQpQVvThuFYgmXpnhloAlPpiitNNWyLWJx0+Ub46SCjdXdHkHwKdUUQkzTUhrf29COK7Aelgt1AWZiEEwp4A384rQ32d7773xRr08hdq4npSv9/1SRGVlILePrUlOGIPh3oogia2H1GN/j1Mig= ; Message-ID: <20060221163737.31550.qmail@web37411.mail.mud.yahoo.com> Received: from [216.239.92.172] by web37411.mail.mud.yahoo.com via HTTP; Tue, 21 Feb 2006 08:37:37 PST Date: Tue, 21 Feb 2006 08:37:37 -0800 (PST) From: Donald Baud To: Luigi Rizzo In-Reply-To: <20060221082529.B64136@xorpc.icir.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Patch to add burst to dummynet ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 16:37:38 -0000 > > > > --- Luigi Rizzo wrote: > > > ... > > > > > of course you get the same throughput! > > > > > the burst is just a constant in the time it > > > takes to > > > > > transfer data, > > > > > and it is independent of the data size. > > > irrespective > > > > > of the file > > > > > size you'll just finish > (burst_size/bandwidth) > > > > > seconds earlier. > > > > > > > > > > cheers > > > > > luigi > > > > > > > > I ran two tests with the following ipfw rules: > > > > ipfw pipe 10 config bw 10kbit/s > > > > ipfw add 5 pipe 10 ip from 10.0.0.1 to me > > > > == with: if (len_scaled > q->numbytes) == > > > > wget --progress=dot some_file > > > > 0K .......... .......... 0% 1.13 KB/s > > > > 50K .......... .......... 1% 1.14 KB/s > > > > 100K .......... .......... 2% 1.14 KB/s > > > > 150K .......... .......... 3% 1.14 KB/s > > > > > > > > == with: if (len_scaled > q->numbytes + 100000 > ) > > > > wget --progress=dot some_file > > > > 0K .......... .......... 0% 1.13 KB/s > > > > 50K .......... .......... 1% 1.14 KB/s > > > > 100K .......... .......... 2% 1.14 KB/s > > > > 150K .......... .......... 3% 1.14 KB/s > > > > > > > > and so ? as i said, the throughtput is the same, > you > > > just see things happening a little bit (very > little, > > > usually) earlier, > > > and your experiment has no notion of time, and > > > furthermore there are so many factors > influencing > > > the throughput and the numbers printed by wget > > > that it's hard to tell how can you see the > > > difference. > > > > > > assuming, of course, that the patch i suggested > > > works, which i > > > think but cannot guarantee. > > > > > > cheers > > > luigi > > > > > > > Are you saying that wget bandwidth reading is > > incorrect? I expected to see full speed of the > pipe > > for the first 100KBytes. > > if you see just one line above your patch, > len_scaled is computed as > > int len_scaled = p->bandwidth ? len*8*hz : 0 > ; > > so your '100000' correspond (with HZ=1000) to an > actual burst > of 100 bits or 12.5 bytes so hardly measurable. > secondly, as i said the throughput is limited by > many many factors > even without dummynet (or just because you have > traffic going through > other pipes, etc.). > > finally, i don't know how wget computes times so it > may > be correct or not, i have no idea. since many > programs > do wrong things in computing bandwidths i wouldn't > give for granted that wget is correct in all > situations. > > bye > luigi > > > > I even commented out: > > /* > > if (len_scaled > q->numbytes) > > break ; > > */ > > While I would have expected full throughput, I got > > only ~10X the speed of the pipe: > > > > 0K .......... .......... 0% 8.30 KB/s > > 50K .......... .......... 1% 20.70 KB/s > > 100K .......... .......... 2% 13.80 KB/s > > 150K .......... .......... 3% 13.80 KB/s > > Let me ask my question differently then, do you think it is possible to bypass the pipe restriction (i.e. burst) for say the first 100KBytes ? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 21 17:42:03 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8352216A420 for ; Tue, 21 Feb 2006 17:42:03 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9B9B43D48 for ; Tue, 21 Feb 2006 17:42:02 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k1LHg2np066684; Tue, 21 Feb 2006 09:42:02 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k1LHg2Qj066683; Tue, 21 Feb 2006 09:42:02 -0800 (PST) (envelope-from rizzo) Date: Tue, 21 Feb 2006 09:42:02 -0800 From: Luigi Rizzo To: Donald Baud Message-ID: <20060221094202.H64136@xorpc.icir.org> References: <20060221082529.B64136@xorpc.icir.org> <20060221163737.31550.qmail@web37411.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20060221163737.31550.qmail@web37411.mail.mud.yahoo.com>; from donaldbaud@yahoo.com on Tue, Feb 21, 2006 at 08:37:37AM -0800 Cc: freebsd-ipfw@freebsd.org Subject: Re: Patch to add burst to dummynet ? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2006 17:42:03 -0000 On Tue, Feb 21, 2006 at 08:37:37AM -0800, Donald Baud wrote: ... > > if you see just one line above your patch, > > len_scaled is computed as > > > > int len_scaled = p->bandwidth ? len*8*hz : 0 > > ; > > > > so your '100000' correspond (with HZ=1000) to an > > actual burst > > of 100 bits or 12.5 bytes so hardly measurable. > > secondly, as i said the throughput is limited by > > many many factors > > even without dummynet (or just because you have > > traffic going through > > other pipes, etc.). > > > > finally, i don't know how wget computes times so it > > may > > be correct or not, i have no idea. since many > > programs > > do wrong things in computing bandwidths i wouldn't > > give for granted that wget is correct in all > > situations. > > > > bye > > luigi > > > > > > > I even commented out: > > > /* > > > if (len_scaled > q->numbytes) > > > break ; > > > */ > > > While I would have expected full throughput, I got > > > only ~10X the speed of the pipe: > > > > > > 0K .......... .......... 0% 8.30 KB/s > > > 50K .......... .......... 1% 20.70 KB/s > > > 100K .......... .......... 2% 13.80 KB/s > > > 150K .......... .......... 3% 13.80 KB/s > > > > > Let me ask my question differently then, do you think > it is possible to bypass the pipe restriction (i.e. > burst) for say the first 100KBytes ? yes if you put a sufficiently large number in the line to patch (ideally a configurable parameter). of course you'll never go faster than your connection allows without dummynet, and furthermore, 100k are way beyond the amount of buffering that the socket or ipintrq give you by default. you are likely to be slowed down by any of these things. i think i have said all i could on the subject cheers luigi > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 23 22:14:32 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AC1716A420 for ; Thu, 23 Feb 2006 22:14:32 +0000 (GMT) (envelope-from 4711@chello.at) Received: from chello084114137224.1.15.vie.surfer.at (chello084114137224.1.15.vie.surfer.at [84.114.137.224]) by mx1.FreeBSD.org (Postfix) with SMTP id A50F443D45 for ; Thu, 23 Feb 2006 22:14:30 +0000 (GMT) (envelope-from 4711@chello.at) Received: (qmail 71545 invoked from network); 23 Feb 2006 22:14:29 -0000 Received: from www.matrix.net (HELO localhost) (192.168.123.10) by matrix001.matrix.net with SMTP; 23 Feb 2006 22:14:29 -0000 From: Christian Hiris <4711@chello.at> To: freebsd-ipfw@freebsd.org Date: Thu, 23 Feb 2006 23:13:39 +0100 User-Agent: KMail/1.9.1 References: <000a01c636f0$d3303280$0e4fdfc8@ironman> In-Reply-To: <000a01c636f0$d3303280$0e4fdfc8@ironman> X-Face: 9K^F42eGrHAbAe?%/Jn(.sAeg9d{Ur6`x<[+LZ46Plx#sTFr]9_>|#(?~v6X,=?utf-8?q?2=7EBeL=23=3A7kxV8=23s=3BUP=0A=09=7C?=>X.=B,VvQ"}!^Zb}AGD:Um.+; P=%U6W Cc: Cesar Subject: Re: ipfw2 with mac filtering X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2006 22:14:32 -0000 --nextPart1230990.cPBLtTPycz Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tuesday, 21. February 2006 15:12, Cesar wrote: > Hi, > > I wanted to finish my firewall rules doing a "deny all from any to any= ", > but I can't do that with mac filtering at same time. Let me explain. > > Since I use ipfw mac filter, I have the sysctl variable > "net.link.ether.ipfw: 1"; > > My FreeBSD box have the IP 10.0.0.1 and my Windows box 10.0.0.2. > > An example of my rules: > > 00001 0 0 allow ip from 10.0.0.2 MAC any 00:13:20:27:80:d6 any > 00002 0 0 allow ip from any to 10.0.0.2 MAC 00:13:20:27:80:d6 any > 65535 0 0 allow ip from any to any > > This works fine, the rules 1 and 2 get some match when I do ping from > Windows box to FreeBSD. > After this test, I added the rule "65534 0 0 deny ip from any to any". > It still works, but after some time if I have no traffic from 10.0.0.2, > FreeBSD appear to remove the arp entry for that IP, if I do a "arp -a", I > get : > > ? (10.0.0.1) at 00:08:54:29:ff:17 on xl0 [ethernet] Set up rules that allow arp broadcasts like: ipfw add pass MAC any ff:ff:ff:ff:ff:ff ipfw add pass MAC ff:ff:ff:ff:ff:ff any Cheers=20 ch =2D-=20 Christian Hiris <4711@chello.at> | OpenPGP KeyID 0x3BCA53BE=20 OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu --nextPart1230990.cPBLtTPycz Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQBD/jPD09WjGjvKU74RAhoSAJ0SogdBAcap4WC2E6RDaSjChUIunACfV56R e7yGK2pN6gY0DILZ3ru0tYs= =nRpn -----END PGP SIGNATURE----- --nextPart1230990.cPBLtTPycz-- From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 24 09:30:57 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13B2416A420; Fri, 24 Feb 2006 09:30:57 +0000 (GMT) (envelope-from joao@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62C4843D46; Fri, 24 Feb 2006 09:30:56 +0000 (GMT) (envelope-from joao@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k1O9UtQ0067303; Fri, 24 Feb 2006 06:30:55 -0300 (BRT) (envelope-from joao@matik.com.br) From: JoaoBR To: Hajimu UMEMOTO Date: Fri, 24 Feb 2006 06:30:53 -0300 User-Agent: KMail/1.9.1 References: <200602200300.k1K30TZr050863@freefall.freebsd.org> <200602201721.50781.joao@matik.com.br> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200602240630.53797.joao@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on msrv.matik.com.br X-Virus-Status: Clean Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/93422: Re: ipfw divert rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2006 09:30:57 -0000 On Tuesday 21 February 2006 02:50, Hajimu UMEMOTO wrote: > joao> same reason why "... pipe proto ip in|out" does not pipe any more, > right? > > Yes. > in addition to our "proto" talk. omitting "proto" in the rule the rule as in ipfw add deny dst-ip ${IP} recv ${NIC} works, but this ipfw add deny proto ip dst-ip ${IP} recv ${NIC} does not so would something as ipfw add 1000 divert 8669 dst-ip 0.0.0.0 src-ip 0.0.0.0 work than?=20 How should I rewrite my rules or better regressing to the old "ip from any = to=20 any" ? thank's Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 24 09:41:31 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 825CE16A420 for ; Fri, 24 Feb 2006 09:41:31 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from ameno.mahoroba.org (gw4.mahoroba.org [218.45.22.175]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3C3F43D4C for ; Fri, 24 Feb 2006 09:41:30 +0000 (GMT) (envelope-from ume@mahoroba.org) Received: from localhost (IDENT:djtuB05kqoytI/1KEd2hl0Dk3C8DXHt5TiXA9rrHt+cKmrVUDifYmx6K++chC0AX@localhost [IPv6:::1]) (user=ume mech=CRAM-MD5 bits=0) by ameno.mahoroba.org (8.13.4/8.13.4) with ESMTP/inet6 id k1O9fPTM055059 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 24 Feb 2006 18:41:25 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Fri, 24 Feb 2006 18:41:25 +0900 Message-ID: From: Hajimu UMEMOTO To: JoaoBR In-Reply-To: <200602240630.53797.joao@matik.com.br> References: <200602200300.k1K30TZr050863@freefall.freebsd.org> <200602201721.50781.joao@matik.com.br> <200602240630.53797.joao@matik.com.br> User-Agent: xcite1.38> Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/22.0.50 (i386-unknown-freebsd5.5) MULE/5.0 (SAKAKI) X-Operating-System: FreeBSD 5.5-PRERELEASE X-PGP-Key: http://www.imasy.or.jp/~ume/publickey.asc X-PGP-Fingerprint: 1F00 0B9E 2164 70FC 6DC5 BF5F 04E9 F086 BF90 71FE Organization: Internet Mutual Aid Society, YOKOHAMA MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.1.3 (ameno.mahoroba.org [IPv6:::1]); Fri, 24 Feb 2006 18:41:25 +0900 (JST) X-Virus-Scanned: by amavisd-new X-Virus-Status: Clean X-Spam-Status: No, score=-3.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ameno.mahoroba.org Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/93422: Re: ipfw divert rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2006 09:41:31 -0000 Hi, >>>>> On Fri, 24 Feb 2006 06:30:53 -0300 >>>>> JoaoBR said: joao> so would something as joao> ipfw add 1000 divert 8669 dst-ip 0.0.0.0 src-ip 0.0.0.0 joao> work than? It should work. joao> How should I rewrite my rules or better regressing to the old "ip from any to joao> any" ? It should work as expected, too. You need to pay attention to the use of `ip', `ipv4' and `ipv6' with `proto' keyword. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 24 10:12:24 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BABE616A420; Fri, 24 Feb 2006 10:12:24 +0000 (GMT) (envelope-from joao@matik.com.br) Received: from msrv.matik.com.br (msrv.matik.com.br [200.152.83.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1692F43D46; Fri, 24 Feb 2006 10:12:23 +0000 (GMT) (envelope-from joao@matik.com.br) Received: from anb (anb.matik.com.br [200.152.83.34]) by msrv.matik.com.br (8.13.4/8.13.1) with ESMTP id k1OACM2q068916; Fri, 24 Feb 2006 07:12:22 -0300 (BRT) (envelope-from joao@matik.com.br) From: JoaoBR To: freebsd-ipfw@freebsd.org Date: Fri, 24 Feb 2006 07:12:21 -0300 User-Agent: KMail/1.9.1 References: <200602200300.k1K30TZr050863@freefall.freebsd.org> <200602240630.53797.joao@matik.com.br> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200602240712.21502.joao@matik.com.br> X-Filter-Version: 1.11a (msrv.matik.com.br) X-Virus-Scanned: ClamAV version 0.88, clamav-milter version 0.87 on msrv.matik.com.br X-Virus-Status: Clean Cc: Hajimu UMEMOTO Subject: Re: kern/93422: Re: ipfw divert rule X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2006 10:12:24 -0000 On Friday 24 February 2006 06:41, Hajimu UMEMOTO wrote: > > joao> ipfw add 1000 divert 8669 dst-ip 0.0.0.0 src-ip 0.0.0.0 > > joao> work than? > > It should work. > > joao> How should I rewrite my rules or better regressing to the old "ip f= rom=20 > any to=20 > joao> any" ? > It should work as expected, too. =A0You need to pay attention to the use > of `ip', `ipv4' and `ipv6' with `proto' keyword. well, then according to the proto-ip-thing this =20 ipfw add deny proto ip dst-ip ${DSTIP} not src-ip ${SRCIP} should not work correctly but it counts : =2E. 36 3612 deny ip from any to any dst-ip ... not src-ip ... so? Jo=E3o A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br