From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 28 11:06:57 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C3714106568D for ; Mon, 28 Sep 2009 11:06:57 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id B030C8FC19 for ; Mon, 28 Sep 2009 11:06:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8SB6vcu064057 for ; Mon, 28 Sep 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8SB6vGF064053 for freebsd-ipfw@FreeBSD.org; Mon, 28 Sep 2009 11:06:57 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Sep 2009 11:06:57 GMT Message-Id: <200909281106.n8SB6vGF064053@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 62 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 29 02:29:50 2009 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E033106566C; Tue, 29 Sep 2009 02:29:50 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EA2958FC14; Tue, 29 Sep 2009 02:29:49 +0000 (UTC) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n8T2TnVb011963; Tue, 29 Sep 2009 02:29:49 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n8T2TnlY011959; Tue, 29 Sep 2009 02:29:49 GMT (envelope-from linimon) Date: Tue, 29 Sep 2009 02:29:49 GMT Message-Id: <200909290229.n8T2TnlY011959@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/139226: [ipfw] install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2009 02:29:50 -0000 Old Synopsis: ipfw: install_state: entry already present, done New Synopsis: [ipfw] install_state: entry already present, done Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Sep 29 02:29:28 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=139226 From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 1 21:46:21 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F7911065670 for ; Thu, 1 Oct 2009 21:46:21 +0000 (UTC) (envelope-from chris@smartt.com) Received: from mailout3.smartt.com (mailout3.smartt.com [69.67.187.28]) by mx1.freebsd.org (Postfix) with ESMTP id 062028FC19 for ; Thu, 1 Oct 2009 21:46:20 +0000 (UTC) Received: from [69.31.174.220] (unknown [69.31.174.220]) by mailout3.smartt.com (Postfix) with ESMTPA id A96A210E528 for ; Thu, 1 Oct 2009 14:28:54 -0700 (PDT) Message-ID: <4AC51F18.5050703@smartt.com> Date: Thu, 01 Oct 2009 14:28:56 -0700 From: Chris St Denis User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 21:46:21 -0000 Haven't gotten any response on -questions so trying here. I've also opened a PR (kern/139226) but it's gotten no replies so I figured I should try here since I'm not certain if it's a bug or not. Regardless I am hoping for at least a work-around -- a few extra rules or settings to keep my console from being flooded by errors. So far only option I found is commenting out the error display line in the kernel source which is far from optimal. I'm trying to setup a stateful firewall for my server such that any traffic can go out, and it's reply come back -- a fairly typical workstation setup. However I'm getting the error message "ipfw: install_state: entry already present, done" repeated many times in my logs (tho the rules seemed to work fine otherwise). I stripped down the rules to the minimum I could and discovered the line causing it is "allow udp from me to any keep-state". Only seems to happen when I have bind running as a slave dns server (not publicly listed, just the zone replication traffic causes the error) but I assume any other large source of UDP traffic would also do it. Full firewall rules: dns2# ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow udp from me to any keep-state 65535 deny ip from any to any I found some search results for this error message, but none seem to have a solution to the problem. I also tried adding at the start "allow { tcp or udp } from any to me dst-port 53" and "allow { tcp or udp } from me to any uid bind" which means the keepstate rule shouldn't even be getting hit much, but I still get a flood of errors. System info: dns2# uname -a FreeBSD dns2 7.2-RELEASE-p2 FreeBSD 7.2-RELEASE-p2 #0: Wed Jun 24 00:14:35 UTC 2009 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 Hardware: virtual server under vmWare ESXi (not that that should matter) network card: em0 -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200 ------------------------------------------- "Smart Internet Solutions For Businesses" From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 1 21:55:13 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C720106568D for ; Thu, 1 Oct 2009 21:55:13 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-gx0-f214.google.com (mail-gx0-f214.google.com [209.85.217.214]) by mx1.freebsd.org (Postfix) with ESMTP id 1732C8FC16 for ; Thu, 1 Oct 2009 21:55:12 +0000 (UTC) Received: by gxk6 with SMTP id 6so650782gxk.13 for ; Thu, 01 Oct 2009 14:55:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=A2mod+Grn7HIRufEVwHxVQGofoRBqsMIby55WGB2yCo=; b=G9+o3XT6aOVvfRZuOomWlyckNM6gkqjT9i8nAfWJ/KoQAN693Wu0l6KUi8v/WhLyd2 Lm/BlVj76N3CdJ3ce9oGCd2kalHUNy5Jl3ic1tFh/qhhZautSSKX/kMNFWKvBeHEAWWH 897rDzZSX5RLQP6D/Vb++I/GN+nQ59KSW24lU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Jq1Kyzioy+55ZKOsKMwqzjAi2T4EGq+z8hoRDViTiE7ViS798z+UQRj713inSHq5Ru XT+/tvpj/R5PBcOESc/Y9YLHyJ3QTCcpILHLspfHW+OYfkEHhEqp+NA7ta3H5e4UUudo F5+t/+kFh+hV8S0YY5Qsdh5LNzrWlRSBAMy/o= MIME-Version: 1.0 Received: by 10.150.110.4 with SMTP id i4mr3113082ybc.255.1254434112367; Thu, 01 Oct 2009 14:55:12 -0700 (PDT) In-Reply-To: <4AC51F18.5050703@smartt.com> References: <4AC51F18.5050703@smartt.com> Date: Thu, 1 Oct 2009 14:55:12 -0700 Message-ID: From: Freddie Cash To: Chris St Denis Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 21:55:13 -0000 On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis wrote: > Haven't gotten any response on -questions so trying here. I've also opened > a PR (kern/139226) but it's gotten no replies so I figured I should try here > since I'm not certain if it's a bug or not. Regardless I am hoping for at > least a work-around -- a few extra rules or settings to keep my console from > being flooded by errors. So far only option I found is commenting out the > error display line in the kernel source which is far from optimal. > > I'm trying to setup a stateful firewall for my server such that any traffic > can go out, and it's reply come back -- a fairly typical workstation setup. > However I'm getting the error message "ipfw: install_state: entry already > present, done" repeated many times in my logs (tho the rules seemed to work > fine otherwise). > > I stripped down the rules to the minimum I could and discovered the line > causing it is "allow udp from me to any keep-state". > > Only seems to happen when I have bind running as a slave dns server (not > publicly listed, just the zone replication traffic causes the error) but I > assume any other large source of UDP traffic would also do it. > > Full firewall rules: > > dns2# ipfw list > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 allow udp from me to any keep-state > 65535 deny ip from any to any > > If you add "out xmit em0" to the udp rule, do the errors stop? -- Freddie Cash fjwcash@gmail.com From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 1 22:11:32 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 418B21065672 for ; Thu, 1 Oct 2009 22:11:32 +0000 (UTC) (envelope-from chris@smartt.com) Received: from mailout3.smartt.com (mailout3.smartt.com [69.67.187.28]) by mx1.freebsd.org (Postfix) with ESMTP id 293A18FC0A for ; Thu, 1 Oct 2009 22:11:32 +0000 (UTC) Received: from [69.31.174.220] (unknown [69.31.174.220]) by mailout3.smartt.com (Postfix) with ESMTPA id 66A6010E50A; Thu, 1 Oct 2009 15:11:34 -0700 (PDT) Message-ID: <4AC52918.2020705@smartt.com> Date: Thu, 01 Oct 2009 15:11:36 -0700 From: Chris St Denis User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Freddie Cash References: <4AC51F18.5050703@smartt.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw: install_state: entry already present, done X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 22:11:32 -0000 Freddie Cash wrote: > On Thu, Oct 1, 2009 at 2:28 PM, Chris St Denis wrote: > > >> Haven't gotten any response on -questions so trying here. I've also opened >> a PR (kern/139226) but it's gotten no replies so I figured I should try here >> since I'm not certain if it's a bug or not. Regardless I am hoping for at >> least a work-around -- a few extra rules or settings to keep my console from >> being flooded by errors. So far only option I found is commenting out the >> error display line in the kernel source which is far from optimal. >> >> I'm trying to setup a stateful firewall for my server such that any traffic >> can go out, and it's reply come back -- a fairly typical workstation setup. >> However I'm getting the error message "ipfw: install_state: entry already >> present, done" repeated many times in my logs (tho the rules seemed to work >> fine otherwise). >> >> I stripped down the rules to the minimum I could and discovered the line >> causing it is "allow udp from me to any keep-state". >> >> Only seems to happen when I have bind running as a slave dns server (not >> publicly listed, just the zone replication traffic causes the error) but I >> assume any other large source of UDP traffic would also do it. >> >> Full firewall rules: >> >> dns2# ipfw list >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00300 deny ip from 127.0.0.0/8 to any >> 00400 allow udp from me to any keep-state >> 65535 deny ip from any to any >> >> >> > If you add "out xmit em0" to the udp rule, do the errors stop I added that and restarted bind (thus generating a bunch of UDP traffic) and the error still floods the console. Current rule set: 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 allow udp from me to any out xmit em0 keep-state 00500 allow ip from any to any 65535 deny ip from any to any