From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 8 02:22:22 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79D62106567D for ; Mon, 8 Sep 2008 02:22:22 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 678998FC23 for ; Mon, 8 Sep 2008 02:22:22 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m882MMkS006711 for ; Mon, 8 Sep 2008 02:22:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m882MLfI006707 for freebsd-ipfw@FreeBSD.org; Mon, 8 Sep 2008 02:22:21 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 8 Sep 2008 02:22:21 GMT Message-Id: <200809080222.m882MLfI006707@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 02:22:22 -0000 The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o bin/127058 ipfw [patch] add "all" command line option to ipfw(8) table o kern/126980 ipfw ipfw(8) hangs system o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 47 problems total. Bugs can be in one of several states: o - open A problem report has been submitted, no sanity checking performed. a - analyzed The problem is understood and a solution is being sought. f - feedback Further work requires additional information from the originator or the community - possibly confirmation of the effectiveness of a proposed solution. p - patched A patch has been committed, but some issues (MFC and / or confirmation from originator) are still open. r - repocopy The resolution of the problem report is dependent on a repocopy operation within the CVS repository which is awaiting completion. s - suspended The problem is not being worked on, due to lack of information or resources. This is a prime candidate for somebody who is looking for a project to do. If the problem cannot be solved at all, it will be closed, rather than suspended. c - closed A problem report is closed when any changes have been integrated, documented, and tested -- or when fixing the problem is abandoned. From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 8 06:07:30 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2450C1065671; Mon, 8 Sep 2008 06:07:30 +0000 (UTC) (envelope-from rik@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EF7698FC20; Mon, 8 Sep 2008 06:07:29 +0000 (UTC) (envelope-from rik@FreeBSD.org) Received: from freefall.freebsd.org (rik@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m8867TM2035206; Mon, 8 Sep 2008 06:07:29 GMT (envelope-from rik@freefall.freebsd.org) Received: (from rik@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m8867THa035202; Mon, 8 Sep 2008 06:07:29 GMT (envelope-from rik) Date: Mon, 8 Sep 2008 06:07:29 GMT Message-Id: <200809080607.m8867THa035202@freefall.freebsd.org> To: rik@FreeBSD.org, freebsd-ipfw@FreeBSD.org, rik@FreeBSD.org From: rik@FreeBSD.org Cc: Subject: Re: bin/127058: [patch] add "all" command line option to ipfw(8) table listing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 06:07:30 -0000 Synopsis: [patch] add "all" command line option to ipfw(8) table listing Responsible-Changed-From-To: freebsd-ipfw->rik Responsible-Changed-By: rik Responsible-Changed-When: Mon Sep 8 06:04:48 UTC 2008 Responsible-Changed-Why: I'll take care of it. http://www.freebsd.org/cgi/query-pr.cgi?pr=127058 From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 8 22:17:55 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6350E1065673; Mon, 8 Sep 2008 22:17:55 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3BDF68FC1B; Mon, 8 Sep 2008 22:17:55 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m88MHtW1053364; Mon, 8 Sep 2008 22:17:55 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m88MHtX1053360; Mon, 8 Sep 2008 22:17:55 GMT (envelope-from linimon) Date: Mon, 8 Sep 2008 22:17:55 GMT Message-Id: <200809082217.m88MHtX1053360@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/127209: [ipfw] IPFW table become corrupted after many changes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 22:17:55 -0000 Old Synopsis: IPFW table become corrupted after many changes New Synopsis: [ipfw] IPFW table become corrupted after many changes Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Mon Sep 8 22:17:26 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=127209 From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 9 08:34:08 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 824E4106564A; Tue, 9 Sep 2008 08:34:08 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5CA698FC13; Tue, 9 Sep 2008 08:34:08 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m898Y8as042173; Tue, 9 Sep 2008 08:34:08 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m898Y88t042169; Tue, 9 Sep 2008 08:34:08 GMT (envelope-from remko) Date: Tue, 9 Sep 2008 08:34:08 GMT Message-Id: <200809090834.m898Y88t042169@freefall.freebsd.org> To: remko@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/127230: [ipfw]: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 08:34:08 -0000 Old Synopsis: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. New Synopsis: [ipfw]: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: remko Responsible-Changed-When: Tue Sep 9 08:33:44 UTC 2008 Responsible-Changed-Why: Reassign to IPFW team. http://www.freebsd.org/cgi/query-pr.cgi?pr=127230 From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 9 13:20:05 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12B3E1065671 for ; Tue, 9 Sep 2008 13:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0412F8FC08 for ; Tue, 9 Sep 2008 13:20:05 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m89DK4h8069655 for ; Tue, 9 Sep 2008 13:20:04 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m89DK4mj069654; Tue, 9 Sep 2008 13:20:04 GMT (envelope-from gnats) Date: Tue, 9 Sep 2008 13:20:04 GMT Message-Id: <200809091320.m89DK4mj069654@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Daan Vreeken Cc: Subject: Re: kern/127230: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daan Vreeken List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 13:20:05 -0000 The following reply was made to PR kern/127230; it has been noted by GNATS. From: Daan Vreeken To: freebsd-bugs@freebsd.org, Dan Mahoney Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/127230: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. Date: Tue, 9 Sep 2008 14:36:42 +0200 On Tuesday 09 September 2008 08:36:02 Dan Mahoney wrote: > >Number: 127230 > >Category: kern > >Synopsis: Feature request to add UID and/or GID logging data to ipfw > > logging with uid rules. Confidential: no > >Severity: non-critical > >Priority: medium > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: change-request > >Submitter-Id: current-users > >Arrival-Date: Tue Sep 09 07:00:12 UTC 2008 > >Closed-Date: > >Last-Modified: > >Originator: Dan Mahoney > >Release: FreeBSD 6.2-PRERELEASE i386 > >Organization: > > Gushi Systems > > >Environment: > > System: FreeBSD prime.gushi.org 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: > Thu Jan 18 02:05:07 EST 2007 > danm@prime.gushi.org:/usr/src/sys/i386/compile/PRIME6 i386 > > Note: The system I'm on is 6.2, but this will likely apply to -CURRENT or > -STABLE (although a patch for 6.x would be appreciated). > > I have the following rule set up in ipfw to limit the exposure of bad php > scripts and trojans that try to send mail directly. > > allow tcp from any to any dst-port 25 uid root > deny log tcp from any to any dst-port 25 out > > However, the log messages I get look like this: > > Sep 8 13:21:11 prime kernel: ipfw: 610 Deny TCP > 72.9.101.130:58117 209.85.133.114:25 out via em0 > Sep 8 13:21:16 prime kernel: ipfw: 610 Deny TCP > 72.9.101.130:56672 202.12.31.144:25 out via em0 > > Which is to say, they don't include the UID -- and I have several hundred > sites, each with its own UID. > > Yes, I could go ahead and set up a thousand "deny" rules, one for each UID > -- but being able to log this info (since it IS being checked) would be > great. > > >Description: > > > >How-To-Repeat: > > Per jeremy chadwick, I am referenceing the following thread on the mailing > lists: > > http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.ht >ml Just for the record : I've created two patches (against -HEAD) that implement this which can be found here : http://vehosting.nl/pub_diffs/ -- Daan Vreeken VEHosting http://VEHosting.nl tel: +31-(0)40-7113050 / +31-(0)6-46210825 KvK nr: 17174380 From owner-freebsd-ipfw@FreeBSD.ORG Thu Sep 11 20:08:19 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21136106567F for ; Thu, 11 Sep 2008 20:08:19 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outD.internet-mail-service.net (outd.internet-mail-service.net [216.240.47.227]) by mx1.freebsd.org (Postfix) with ESMTP id 0EAB78FC24 for ; Thu, 11 Sep 2008 20:08:18 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id D0C8A2353; Thu, 11 Sep 2008 13:08:18 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 6C6A12D6014; Thu, 11 Sep 2008 13:08:18 -0700 (PDT) Message-ID: <48C97AB3.6040907@elischer.org> Date: Thu, 11 Sep 2008 13:08:19 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: FreeBSD Net , ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2008 20:08:19 -0000 I think someone sent me a link to an ng_ipfw_filter node once but I've lost it... (I think it was called ng_ipfw but that name is now taken by the netgraph/ipfw 'ipfw netgraph' packet divert option). Something that lets you do ipfw filtering on packets as they travel across a graph. As I said,I've seen one but lost it... Julian From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 12 06:09:08 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B871E1065678 for ; Fri, 12 Sep 2008 06:09:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 6C2C58FC21 for ; Fri, 12 Sep 2008 06:09:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 19FBA41C7AE; Fri, 12 Sep 2008 07:50:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id iriU1HISZSsQ; Fri, 12 Sep 2008 07:50:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 8982B41C7BA; Fri, 12 Sep 2008 07:50:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 012DA44487F; Fri, 12 Sep 2008 05:48:57 +0000 (UTC) Date: Fri, 12 Sep 2008 05:48:57 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Julian Elischer In-Reply-To: <48C97AB3.6040907@elischer.org> Message-ID: <20080912054832.Q65801@maildrop.int.zabbadoz.net> References: <48C97AB3.6040907@elischer.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:09:08 -0000 On Thu, 11 Sep 2008, Julian Elischer wrote: Hi, > I think someone sent me a link to an ng_ipfw_filter node once > but I've lost it... > > (I think it was called ng_ipfw but that name is now taken by the > netgraph/ipfw 'ipfw netgraph' packet divert option). > > Something that lets you do ipfw filtering on packets as they > travel across a graph. > > As I said,I've seen one but lost it... I could be wrong but did you mean? http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netgraph/ng_ipfw.c -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 12 06:12:31 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 368681065698 for ; Fri, 12 Sep 2008 06:12:31 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outR.internet-mail-service.net (outr.internet-mail-service.net [216.240.47.241]) by mx1.freebsd.org (Postfix) with ESMTP id 18DB38FC2B for ; Fri, 12 Sep 2008 06:12:31 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 9024B2496; Thu, 11 Sep 2008 23:12:30 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 0E3992D600D; Thu, 11 Sep 2008 23:12:30 -0700 (PDT) Message-ID: <48CA084D.1050406@elischer.org> Date: Thu, 11 Sep 2008 23:12:29 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: "Bjoern A. Zeeb" References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> In-Reply-To: <20080912054832.Q65801@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:12:31 -0000 Bjoern A. Zeeb wrote: > On Thu, 11 Sep 2008, Julian Elischer wrote: > > Hi, > >> I think someone sent me a link to an ng_ipfw_filter node once >> but I've lost it... >> >> (I think it was called ng_ipfw but that name is now taken by the >> netgraph/ipfw 'ipfw netgraph' packet divert option). >> >> Something that lets you do ipfw filtering on packets as they >> travel across a graph. >> >> As I said,I've seen one but lost it... > > I could be wrong but did you mean? > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netgraph/ng_ipfw.c > no that's the one I refer to in themail wiich is the inverse of what I want that one allows ipfw to send things to netgraph. I want one to allow a netgraph graph to filter things with ipfw... From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 12 06:15:06 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E1AA1065684; Fri, 12 Sep 2008 06:15:06 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id F2EB18FC12; Fri, 12 Sep 2008 06:15:05 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 3C57241C7DC; Fri, 12 Sep 2008 08:15:05 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id DKpAHUMRb1uM; Fri, 12 Sep 2008 08:15:04 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id E34E641C7D2; Fri, 12 Sep 2008 08:15:04 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 4477544487F; Fri, 12 Sep 2008 06:13:49 +0000 (UTC) Date: Fri, 12 Sep 2008 06:13:49 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Julian Elischer In-Reply-To: <20080912054832.Q65801@maildrop.int.zabbadoz.net> Message-ID: <20080912061314.H65801@maildrop.int.zabbadoz.net> References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:15:06 -0000 On Fri, 12 Sep 2008, Bjoern A. Zeeb wrote: > On Thu, 11 Sep 2008, Julian Elischer wrote: > > Hi, > >> I think someone sent me a link to an ng_ipfw_filter node once >> but I've lost it... >> >> (I think it was called ng_ipfw but that name is now taken by the >> netgraph/ipfw 'ipfw netgraph' packet divert option). >> >> Something that lets you do ipfw filtering on packets as they >> travel across a graph. >> >> As I said,I've seen one but lost it... > > I could be wrong but did you mean? baeh, ignore this... -- Bjoern A. Zeeb Stop bit received. Insert coin for new game. From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 12 06:32:45 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A35181065670 for ; Fri, 12 Sep 2008 06:32:45 +0000 (UTC) (envelope-from andrew@modulus.org) Received: from email.octopus.com.au (host-122-100-2-232.octopus.com.au [122.100.2.232]) by mx1.freebsd.org (Postfix) with ESMTP id 5B9128FC22 for ; Fri, 12 Sep 2008 06:32:44 +0000 (UTC) (envelope-from andrew@modulus.org) Received: by email.octopus.com.au (Postfix, from userid 1002) id 0E32D17E16; Fri, 12 Sep 2008 16:17:51 +1000 (EST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on email.octopus.com.au X-Spam-Level: X-Spam-Status: No, score=-1.4 required=10.0 tests=ALL_TRUSTED autolearn=failed version=3.2.3 Received: from [10.1.50.60] (ppp121-44-8-108.lns10.syd7.internode.on.net [121.44.8.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: admin@email.octopus.com.au) by email.octopus.com.au (Postfix) with ESMTP id C03C9178A7; Fri, 12 Sep 2008 16:17:37 +1000 (EST) Message-ID: <48CA0952.50804@modulus.org> Date: Fri, 12 Sep 2008 16:16:50 +1000 From: Andrew Snow User-Agent: Thunderbird 2.0.0.14 (X11/20080523) MIME-Version: 1.0 To: Julian Elischer References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> In-Reply-To: <20080912054832.Q65801@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:32:45 -0000 I think what you ask can be done by: 1. sending the packet through ng_mbuf to tag it 2. sending it to ng_ipfw to be sent through IPFW 3. use IPFW rules to operate on packets with the particular tag you attached in #1 4. as the final IPFW rule, pass the packet back in to netgraph via a 'netgraph' IPFW rule. I have not tried this, no idea if it would work Best of luck! :-) - Andrew From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 12 06:48:50 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE2DC106566B for ; Fri, 12 Sep 2008 06:48:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outO.internet-mail-service.net (outo.internet-mail-service.net [216.240.47.238]) by mx1.freebsd.org (Postfix) with ESMTP id CCDD28FC17 for ; Fri, 12 Sep 2008 06:48:50 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id AD19E2376; Thu, 11 Sep 2008 23:48:50 -0700 (PDT) Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 5B0DE2D600E; Thu, 11 Sep 2008 23:48:50 -0700 (PDT) Message-ID: <48CA10D2.4040807@elischer.org> Date: Thu, 11 Sep 2008 23:48:50 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Eugene Grosbein References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> <48CA084D.1050406@elischer.org> <20080912061628.GA46340@svzserv.kemerovo.su> In-Reply-To: <20080912061628.GA46340@svzserv.kemerovo.su> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , ipfw@freebsd.org, FreeBSD Net Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:48:51 -0000 Eugene Grosbein wrote: > On Thu, Sep 11, 2008 at 11:12:29PM -0700, Julian Elischer wrote: > >> that one allows ipfw to send things to netgraph. I want one >> to allow a netgraph graph to filter things with ipfw... > > ng_bpf? not exactly ipfw filtering, but filtering :-) > No it needs to be ifpw for the job I'm doing..there is already a lot of code that manipulate ipfw rules that I want to reuse. (heavy use of tables etc.). From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 12 06:51:17 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ADEB31065673 for ; Fri, 12 Sep 2008 06:51:17 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id D92758FC15 for ; Fri, 12 Sep 2008 06:51:16 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m8C6GS4t046579; Fri, 12 Sep 2008 14:16:28 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m8C6GSRP046578; Fri, 12 Sep 2008 14:16:28 +0800 (KRAST) (envelope-from eugen) Date: Fri, 12 Sep 2008 14:16:28 +0800 From: Eugene Grosbein To: Julian Elischer Message-ID: <20080912061628.GA46340@svzserv.kemerovo.su> References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> <48CA084D.1050406@elischer.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48CA084D.1050406@elischer.org> User-Agent: Mutt/1.4.2.3i Cc: "Bjoern A. Zeeb" , ipfw@freebsd.org, FreeBSD Net Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:51:17 -0000 On Thu, Sep 11, 2008 at 11:12:29PM -0700, Julian Elischer wrote: > that one allows ipfw to send things to netgraph. I want one > to allow a netgraph graph to filter things with ipfw... ng_bpf? not exactly ipfw filtering, but filtering :-) Eugene Grosbein From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 12 06:56:03 2008 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D5A0D106567A; Fri, 12 Sep 2008 06:56:03 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id 0D0C18FC1D; Fri, 12 Sep 2008 06:56:02 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from kuzbass.ru (kost [213.184.65.82]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m8C6tw1f052330; Fri, 12 Sep 2008 14:55:58 +0800 (KRAST) (envelope-from eugen@kuzbass.ru) Message-ID: <48CA127E.9BDA9C22@kuzbass.ru> Date: Fri, 12 Sep 2008 14:55:58 +0800 From: Eugene Grosbein Organization: SVZServ X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: ru,en MIME-Version: 1.0 To: Julian Elischer References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> <48CA084D.1050406@elischer.org> <20080912061628.GA46340@svzserv.kemerovo.su> <48CA10D2.4040807@elischer.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Cc: "Bjoern A. Zeeb" , ipfw@freebsd.org, FreeBSD Net Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:56:03 -0000 Julian Elischer wrote: > >> that one allows ipfw to send things to netgraph. I want one > >> to allow a netgraph graph to filter things with ipfw... > > > > ng_bpf? not exactly ipfw filtering, but filtering :-) > > No it needs to be ifpw for the job I'm doing..there is already a lot > of code that manipulate ipfw rules that I want to reuse. > (heavy use of tables etc.). I think there is no such node at present, I did some search recently.