From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 18 11:07:02 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45E031065675 for ; Mon, 18 Apr 2011 11:07:02 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 330928FC14 for ; Mon, 18 Apr 2011 11:07:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3IB72HS019525 for ; Mon, 18 Apr 2011 11:07:02 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3IB71TS019523 for freebsd-ipfw@FreeBSD.org; Mon, 18 Apr 2011 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 18 Apr 2011 11:07:01 GMT Message-Id: <201104181107.p3IB71TS019523@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2011 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/156410 ipfw [patch][ipfw] tablearg option for ipfw setfib o kern/156180 ipfw [ipfw] [patch] ipfw checks TCP options on non-contiguo o kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw IPFIREWALL does not allow specify rules with ICMP code a kern/152887 ipfw [ipfw] Can not set more then 1024 buckets with buckets o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/150798 ipfw [ipfw] ipfw2 fwd rule matches packets but does not do o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148157 ipfw [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRE o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/147720 ipfw [ipfw] ipfw dynamic rules and fwd o kern/145305 ipfw [ipfw] ipfw problems, panics, data corruption, ipv6 so o kern/144269 ipfw [ipfw] problem with ipfw tables o kern/144187 ipfw [ipfw] deadlock using multiple ipfw nat and multiple l o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143653 ipfw [ipfw] [patch] ipfw nat redirect_port "buf is too smal o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/143474 ipfw [ipfw] ipfw table contains the same address f kern/142951 ipfw [dummynet] using pipes&queues gives OUCH! pipe should o kern/139581 ipfw [ipfw] "ipfw pipe" not limiting bandwidth o kern/139226 ipfw [ipfw] install_state: entry already present, done o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip o kern/122109 ipfw [ipfw] ipfw nat traceroute problem s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet] 6.3-RELEASE-p1 page fault in dummynet (corr o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 79 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 18 14:51:09 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7CE7D1065677 for ; Mon, 18 Apr 2011 14:51:09 +0000 (UTC) (envelope-from bd@dax.nu) Received: from xenis.dax.nu (xenis.dax.nu [194.68.48.87]) by mx1.freebsd.org (Postfix) with ESMTP id 0F5C38FC0A for ; Mon, 18 Apr 2011 14:51:08 +0000 (UTC) Received: from kali.pri (ua-83-227-152-132.cust.bredbandsbolaget.se [83.227.152.132]) (authenticated bits=0) by xenis.dax.nu (8.14.3/8.14.1/SuSE Linux 0.8) with ESMTP id p3IEajCq028013 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 18 Apr 2011 16:36:47 +0200 To: References: <201103151910.p2FJACpx003227@freefall.freebsd.org> From: Bjorn Danielsson Date: Mon, 18 Apr 2011 16:36:44 +0200 In-Reply-To: <201103151910.p2FJACpx003227@freefall.freebsd.org> (Sergey Matveychuk's message of "Tue\, 15 Mar 2011 19\:10\:12 GMT") Message-ID: User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (xenis.dax.nu [194.68.48.87]); Mon, 18 Apr 2011 16:36:47 +0200 (CEST) Cc: Sergey Matveychuk Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2011 14:51:09 -0000 Hi Sergey, I have now tested your latest patch (March 15) against 8.2-RELEASE with my application that does both packet filtering and injection, and so far everything works, both with IPv6 and IPv4 traffic. The migration path to IPv6 looks really smooth now! Bjorn Sergey Matveychuk wrote: > The following reply was made to PR kern/128260; it has been noted by GNATS. > > From: Sergey Matveychuk > To: bug-followup@FreeBSD.org, dan@obluda.cz > Cc: > Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets > Date: Tue, 15 Mar 2011 22:06:28 +0300 > > This is a multi-part message in MIME format. > --------------030906040307050306030601 > Content-Type: text/plain; charset=UTF-8; format=flowed > Content-Transfer-Encoding: 7bit > > Complete remove nd6.c part. I'll send it separately with explanations. > > --------------030906040307050306030601 > Content-Type: text/plain; > name="divert-ipv6.diff" > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; > filename="divert-ipv6.diff" > >[...] From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 18 16:20:12 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F748106564A for ; Mon, 18 Apr 2011 16:20:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2E4818FC1A for ; Mon, 18 Apr 2011 16:20:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3IGKBKw035288 for ; Mon, 18 Apr 2011 16:20:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3IGKBB1035287; Mon, 18 Apr 2011 16:20:11 GMT (envelope-from gnats) Date: Mon, 18 Apr 2011 16:20:11 GMT Message-Id: <201104181620.p3IGKBB1035287@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: ten Cc: Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ten List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2011 16:20:12 -0000 The following reply was made to PR kern/122109; it has been noted by GNATS. From: ten To: bug-followup@FreeBSD.org, m.dyadchenko@211.ru Cc: Subject: Re: kern/122109: [ipfw] ipfw nat traceroute problem Date: Mon, 18 Apr 2011 22:41:45 +0700 --20cf30563995a1b54304a1333ac0 Content-Type: text/plain; charset=ISO-8859-1 Work's fine. mfc ? --- sys/netinet/libalias/alias.c.orig 2010-09-10 03:28:46.000000000 +0700 +++ sys/netinet/libalias/alias.c 2011-04-18 22:05:07.000000000 +0700 @@ -423,7 +423,7 @@ } return (PKT_ALIAS_OK); } - return (PKT_ALIAS_IGNORED); + return (PKT_ALIAS_OK); } --20cf30563995a1b54304a1333ac0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Work's fine.
mfc ?


--- sys/netinet/libalias/alias.c.orig= =A0=A0 2010-09-10 03:28:46.000000000 +0700
+++ sys/netinet/libalias/alia= s.c=A0=A0=A0=A0=A0=A0=A0 2011-04-18 22:05:07.000000000 +0700
@@ -423,7 += 423,7 @@
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 }
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 return (PKT_ALIAS_OK);
=A0= =A0=A0=A0=A0=A0=A0 }
-=A0=A0=A0=A0=A0=A0 return (PKT_ALIAS_IGNORED);
= +=A0=A0=A0=A0=A0=A0 return (PKT_ALIAS_OK);
=A0}

--20cf30563995a1b54304a1333ac0-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 18 18:22:59 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 215C71065698; Mon, 18 Apr 2011 18:22:59 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EA7F48FC17; Mon, 18 Apr 2011 18:22:58 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3IIMwSp051323; Mon, 18 Apr 2011 18:22:58 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3IIMwZf051319; Mon, 18 Apr 2011 18:22:58 GMT (envelope-from glebius) Date: Mon, 18 Apr 2011 18:22:58 GMT Message-Id: <201104181822.p3IIMwZf051319@freefall.freebsd.org> To: fodillemlinkarim@gmail.com, glebius@FreeBSD.org, freebsd-ipfw@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/156180: [ipfw] [patch] ipfw checks TCP options on non-contiguous header X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2011 18:22:59 -0000 Synopsis: [ipfw] [patch] ipfw checks TCP options on non-contiguous header State-Changed-From-To: open->patched State-Changed-By: glebius State-Changed-When: Mon Apr 18 18:22:21 UTC 2011 State-Changed-Why: Fixed in head/. Responsible-Changed-From-To: freebsd-ipfw->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Mon Apr 18 18:22:21 UTC 2011 Responsible-Changed-Why: Fixed in head/. http://www.freebsd.org/cgi/query-pr.cgi?pr=156180 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 18 18:24:03 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 187FF1065674 for ; Mon, 18 Apr 2011 18:24:03 +0000 (UTC) (envelope-from sem@semmy.ru) Received: from sunner.semmy.ru (sunner.semmy.ru [IPv6:2a00:14d0:0:20::3]) by mx1.freebsd.org (Postfix) with ESMTP id 96CED8FC19 for ; Mon, 18 Apr 2011 18:24:02 +0000 (UTC) Received: from [2a00:14d0:0:40:1::1] (helo=home.semmy.ru) by sunner.semmy.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QBt7A-000Aim-PC; Mon, 18 Apr 2011 22:24:00 +0400 Message-ID: <4DAC81BE.7000208@semmy.ru> Date: Mon, 18 Apr 2011 22:23:58 +0400 From: Sergey Matveychuk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: Bjorn Danielsson References: <201103151910.p2FJACpx003227@freefall.freebsd.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2011 18:24:03 -0000 Great. It reamins only to find a commiter who will commit the patch. 18.04.2011 18:36, Bjorn Danielsson wrote: > Hi Sergey, I have now tested your latest patch (March 15) against 8.2-RELEASE > with my application that does both packet filtering and injection, and so far > everything works, both with IPv6 and IPv4 traffic. The migration path to IPv6 > looks really smooth now! > > Bjorn > > > Sergey Matveychuk wrote: >> The following reply was made to PR kern/128260; it has been noted by GNATS. >> >> From: Sergey Matveychuk >> To: bug-followup@FreeBSD.org, dan@obluda.cz >> Cc: >> Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets >> Date: Tue, 15 Mar 2011 22:06:28 +0300 >> >> This is a multi-part message in MIME format. >> --------------030906040307050306030601 >> Content-Type: text/plain; charset=UTF-8; format=flowed >> Content-Transfer-Encoding: 7bit >> >> Complete remove nd6.c part. I'll send it separately with explanations. >> >> --------------030906040307050306030601 >> Content-Type: text/plain; >> name="divert-ipv6.diff" >> Content-Transfer-Encoding: base64 >> Content-Disposition: attachment; >> filename="divert-ipv6.diff" >> >> [...] > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 19 11:30:11 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 904081065674 for ; Tue, 19 Apr 2011 11:30:11 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5A2578FC15 for ; Tue, 19 Apr 2011 11:30:11 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3JBUBsR056726 for ; Tue, 19 Apr 2011 11:30:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3JBUBDx056721; Tue, 19 Apr 2011 11:30:11 GMT (envelope-from gnats) Date: Tue, 19 Apr 2011 11:30:11 GMT Message-Id: <201104191130.p3JBUBDx056721@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: dfilter@FreeBSD.ORG (dfilter service) Cc: Subject: Re: kern/152887: commit references a PR X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dfilter service List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2011 11:30:11 -0000 The following reply was made to PR kern/152887; it has been noted by GNATS. From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/152887: commit references a PR Date: Tue, 19 Apr 2011 11:29:18 +0000 (UTC) Author: ae Date: Tue Apr 19 11:29:09 2011 New Revision: 220831 URL: http://svn.freebsd.org/changeset/base/220831 Log: ipdn_bound_var() functions is designed to bound a variable between specified minimum and maximum. In case when specified default value is out of bounds it does not work as expected and does not limit variable. Check that default value is in range and limit it if needed. Also bump max_hash_size value to 65536 to correspond with manual page. PR: kern/152887 MFC after: 2 weeks Modified: head/sys/netinet/ipfw/ip_dummynet.c Modified: head/sys/netinet/ipfw/ip_dummynet.c ============================================================================== --- head/sys/netinet/ipfw/ip_dummynet.c Tue Apr 19 10:57:40 2011 (r220830) +++ head/sys/netinet/ipfw/ip_dummynet.c Tue Apr 19 11:29:09 2011 (r220831) @@ -108,6 +108,10 @@ ipdn_bound_var(int *v, int dflt, int lo, { int oldv = *v; const char *op = NULL; + if (dflt < lo) + dflt = lo; + if (dflt > hi) + dflt = hi; if (oldv < lo) { *v = dflt; op = "Bump"; @@ -2128,7 +2132,7 @@ ip_dn_init(void) dn_cfg.red_max_pkt_size = 1500; /* default max packet size */ /* hash tables */ - dn_cfg.max_hash_size = 1024; /* max in the hash tables */ + dn_cfg.max_hash_size = 65536; /* max in the hash tables */ dn_cfg.hash_size = 64; /* default hash size */ /* create hash tables for schedulers and flowsets. _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 19 11:35:08 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3966F1065673; Tue, 19 Apr 2011 11:35:08 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0FDB98FC16; Tue, 19 Apr 2011 11:35:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3JBZ75v066714; Tue, 19 Apr 2011 11:35:07 GMT (envelope-from ae@freefall.freebsd.org) Received: (from ae@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3JBZ7RV066621; Tue, 19 Apr 2011 11:35:07 GMT (envelope-from ae) Date: Tue, 19 Apr 2011 11:35:07 GMT Message-Id: <201104191135.p3JBZ7RV066621@freefall.freebsd.org> To: boris@tagnet.ru, ae@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: ae@FreeBSD.org Cc: Subject: Re: kern/152887: [ipfw] Can not set more then 1024 buckets with buckets flag X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2011 11:35:08 -0000 Synopsis: [ipfw] Can not set more then 1024 buckets with buckets flag State-Changed-From-To: analyzed->patched State-Changed-By: ae State-Changed-When: Tue Apr 19 11:34:47 UTC 2011 State-Changed-Why: Patched in head/. http://www.freebsd.org/cgi/query-pr.cgi?pr=152887 From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 19 15:00:24 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 861E71065691 for ; Tue, 19 Apr 2011 15:00:24 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2F6E68FC2A for ; Tue, 19 Apr 2011 15:00:21 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3JF0LwF048757 for ; Tue, 19 Apr 2011 15:00:21 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3JF0LoB048755; Tue, 19 Apr 2011 15:00:21 GMT (envelope-from gnats) Date: Tue, 19 Apr 2011 15:00:21 GMT Message-Id: <201104191500.p3JF0LoB048755@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Gleb Smirnoff Cc: Subject: kern/143653 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Gleb Smirnoff List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2011 15:00:24 -0000 The following reply was made to PR kern/143653; it has been noted by GNATS. From: Gleb Smirnoff To: bug-followup@FreeBSD.org Cc: Jeff Kletsky , "Alexander V. Chernikov" Subject: kern/143653 Date: Tue, 19 Apr 2011 18:59:07 +0400 --J/dobhs11T7y2rNN Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Here are patches that eliminate NAT_BUF_LEN and make all memory sizes in these paths dynamic. Testing is appreciated. Patches are against head/, where a big whitespace cleanup had been performed, so before applying to stable/8 you may need to merge r220802,r220804:: http://svn.freebsd.org/viewvc/base/head/sbin/ipfw/nat.c?view=log -- Totus tuus, Glebius. --J/dobhs11T7y2rNN Content-Type: text/x-diff; charset=koi8-r Content-Disposition: attachment; filename="143653.nat.c.diff" Index: nat.c =================================================================== --- nat.c (revision 220834) +++ nat.c (working copy) @@ -281,13 +281,6 @@ /* End of stuff taken from natd.c. */ -#define INC_ARGCV() do { \ - (*_av)++; \ - (*_ac)--; \ - av = *_av; \ - ac = *_ac; \ -} while(0) - /* * The next 3 functions add support for the addr, port and proto redirect and * their logic is loosely based on SetupAddressRedirect(), SetupPortRedirect() @@ -318,121 +311,107 @@ */ static int -setup_redir_addr(char *spool_buf, unsigned int len, - int *_ac, char ***_av) +estimate_redir_addr(int *ac, char ***av) { - char **av, *sep; /* Token separator. */ - /* Temporary buffer used to hold server pool ip's. */ - char tmp_spool_buf[NAT_BUF_LEN]; - int ac, space, lsnat; + size_t space = sizeof(struct cfg_redir); + char *sep; + + if ((sep = strtok(**av, ",")) != NULL) { + space += sizeof(struct cfg_spool); + while ((sep = strtok(NULL, ",")) != NULL) + space += sizeof(struct cfg_spool); + } + + return (space); +} + +static int +setup_redir_addr(char *buf, int *ac, char ***av) +{ struct cfg_redir *r; - struct cfg_spool *tmp; + char *sep; + size_t space; - av = *_av; - ac = *_ac; - space = 0; - lsnat = 0; - if (len >= SOF_REDIR) { - r = (struct cfg_redir *)spool_buf; - /* Skip cfg_redir at beginning of buf. */ - spool_buf = &spool_buf[SOF_REDIR]; - space = SOF_REDIR; - len -= SOF_REDIR; - } else - goto nospace; + r = (struct cfg_redir *)buf; r->mode = REDIR_ADDR; + /* Skip cfg_redir at beginning of buf. */ + buf = &buf[sizeof(struct cfg_redir)]; + space = sizeof(struct cfg_redir); + /* Extract local address. */ - if (ac == 0) - errx(EX_DATAERR, "redirect_addr: missing local address"); - sep = strchr(*av, ','); - if (sep) { /* LSNAT redirection syntax. */ + if ((sep = strtok(**av, ",")) != NULL) { + struct cfg_spool *spool; + + /* Setup LSNAT server pool. */ r->laddr.s_addr = INADDR_NONE; - /* Preserve av, copy spool servers to tmp_spool_buf. */ - strncpy(tmp_spool_buf, *av, strlen(*av)+1); - lsnat = 1; - } else - StrToAddr(*av, &r->laddr); - INC_ARGCV(); - - /* Extract public address. */ - if (ac == 0) - errx(EX_DATAERR, "redirect_addr: missing public address"); - StrToAddr(*av, &r->paddr); - INC_ARGCV(); - - /* Setup LSNAT server pool. */ - if (sep) { - sep = strtok(tmp_spool_buf, ","); while (sep != NULL) { - tmp = (struct cfg_spool *)spool_buf; - if (len < SOF_SPOOL) - goto nospace; - len -= SOF_SPOOL; - space += SOF_SPOOL; - StrToAddr(sep, &tmp->addr); - tmp->port = ~0; + spool = (struct cfg_spool *)buf; + space += sizeof(struct cfg_spool); + StrToAddr(sep, &spool->addr); + spool->port = ~0; r->spool_cnt++; /* Point to the next possible cfg_spool. */ - spool_buf = &spool_buf[SOF_SPOOL]; + buf = &buf[sizeof(struct cfg_spool)]; sep = strtok(NULL, ","); } + } else + StrToAddr(**av, &r->laddr); + (*av)++; (*ac)--; + + /* Extract public address. */ + StrToAddr(**av, &r->paddr); + (*av)++; (*ac)--; + + return (space); +} + +static int +estimate_redir_port(int *ac, char ***av) +{ + size_t space = sizeof(struct cfg_redir); + char *sep; + + if ((sep = strtok(**av, ",")) != NULL) { + space += sizeof(struct cfg_spool); + while ((sep = strtok(NULL, ",")) != NULL) + space += sizeof(struct cfg_spool); } - return(space); -nospace: - errx(EX_DATAERR, "redirect_addr: buf is too small\n"); + + return (space); } static int -setup_redir_port(char *spool_buf, unsigned int len, - int *_ac, char ***_av) +setup_redir_port(char *buf, int *ac, char ***av) { - char **av, *sep, *protoName; - char tmp_spool_buf[NAT_BUF_LEN]; - int ac, space, lsnat; struct cfg_redir *r; - struct cfg_spool *tmp; + char *sep, *protoName, *lsnat = NULL; + size_t space; u_short numLocalPorts; port_range portRange; - av = *_av; - ac = *_ac; - space = 0; - lsnat = 0; numLocalPorts = 0; - if (len >= SOF_REDIR) { - r = (struct cfg_redir *)spool_buf; - /* Skip cfg_redir at beginning of buf. */ - spool_buf = &spool_buf[SOF_REDIR]; - space = SOF_REDIR; - len -= SOF_REDIR; - } else - goto nospace; + r = (struct cfg_redir *)buf; r->mode = REDIR_PORT; + /* Skip cfg_redir at beginning of buf. */ + buf = &buf[sizeof(struct cfg_redir)]; + space = sizeof(struct cfg_redir); + /* * Extract protocol. */ - if (ac == 0) - errx (EX_DATAERR, "redirect_port: missing protocol"); - r->proto = StrToProto(*av); - protoName = *av; - INC_ARGCV(); + r->proto = StrToProto(**av); + protoName = **av; + (*av)++; (*ac)--; /* * Extract local address. */ - if (ac == 0) - errx (EX_DATAERR, "redirect_port: missing local address"); - - sep = strchr(*av, ','); - /* LSNAT redirection syntax. */ - if (sep) { + if ((sep = strchr(**av, ',')) != NULL) { r->laddr.s_addr = INADDR_NONE; r->lport = ~0; numLocalPorts = 1; - /* Preserve av, copy spool servers to tmp_spool_buf. */ - strncpy(tmp_spool_buf, *av, strlen(*av)+1); - lsnat = 1; + lsnat = **av; } else { /* * The sctp nat does not allow the port numbers to be mapped to @@ -440,40 +419,36 @@ * in the target port field. */ if (r->proto == IPPROTO_SCTP) { - if (strchr (*av, ':')) + if (strchr(**av, ':')) errx(EX_DATAERR, "redirect_port:" - "port numbers do not change in sctp, so do not " - "specify them as part of the target"); + "port numbers do not change in sctp, so do " + "not specify them as part of the target"); else - StrToAddr(*av, &r->laddr); + StrToAddr(**av, &r->laddr); } else { - if (StrToAddrAndPortRange (*av, &r->laddr, protoName, - &portRange) != 0) - errx(EX_DATAERR, "redirect_port:" + if (StrToAddrAndPortRange(**av, &r->laddr, protoName, + &portRange) != 0) + errx(EX_DATAERR, "redirect_port: " "invalid local port range"); r->lport = GETLOPORT(portRange); numLocalPorts = GETNUMPORTS(portRange); } } - INC_ARGCV(); + (*av)++; (*ac)--; /* * Extract public port and optionally address. */ - if (ac == 0) - errx (EX_DATAERR, "redirect_port: missing public port"); - - sep = strchr (*av, ':'); - if (sep) { - if (StrToAddrAndPortRange (*av, &r->paddr, protoName, + if ((sep = strchr(**av, ':')) != NULL) { + if (StrToAddrAndPortRange(**av, &r->paddr, protoName, &portRange) != 0) - errx(EX_DATAERR, "redirect_port:" + errx(EX_DATAERR, "redirect_port: " "invalid public port range"); } else { r->paddr.s_addr = INADDR_ANY; - if (StrToPortRange (*av, protoName, &portRange) != 0) - errx(EX_DATAERR, "redirect_port:" + if (StrToPortRange(**av, protoName, &portRange) != 0) + errx(EX_DATAERR, "redirect_port: " "invalid public port range"); } @@ -483,7 +458,7 @@ r->lport = r->pport; } r->pport_cnt = GETNUMPORTS(portRange); - INC_ARGCV(); + (*av)++; (*ac)--; /* * Extract remote address and optionally port. @@ -492,19 +467,18 @@ * NB: isalpha(**av) => we've to check that next parameter is really an * option for this redirect entry, else stop here processing arg[cv]. */ - if (ac != 0 && !isalpha(**av)) { - sep = strchr (*av, ':'); - if (sep) { - if (StrToAddrAndPortRange (*av, &r->raddr, protoName, + if (*ac != 0 && !isalpha(***av)) { + if ((sep = strchr(**av, ':')) != NULL) { + if (StrToAddrAndPortRange(**av, &r->raddr, protoName, &portRange) != 0) - errx(EX_DATAERR, "redirect_port:" + errx(EX_DATAERR, "redirect_port: " "invalid remote port range"); } else { SETLOPORT(portRange, 0); SETNUMPORTS(portRange, 1); - StrToAddr (*av, &r->raddr); + StrToAddr(**av, &r->raddr); } - INC_ARGCV(); + (*av)++; (*ac)--; } else { SETLOPORT(portRange, 0); SETNUMPORTS(portRange, 1); @@ -517,7 +491,7 @@ * Make sure port ranges match up, then add the redirect ports. */ if (numLocalPorts != r->pport_cnt) - errx(EX_DATAERR, "redirect_port:" + errx(EX_DATAERR, "redirect_port: " "port ranges must be equal in size"); /* Remote port range is allowed to be '0' which means all ports. */ @@ -526,20 +500,18 @@ errx(EX_DATAERR, "redirect_port: remote port must" "be 0 or equal to local port range in size"); - /* - * Setup LSNAT server pool. - */ - if (lsnat) { - sep = strtok(tmp_spool_buf, ","); + /* Setup LSNAT server pool. */ + if (lsnat != NULL) { + struct cfg_spool *spool; + + sep = strtok(lsnat, ","); while (sep != NULL) { - tmp = (struct cfg_spool *)spool_buf; - if (len < SOF_SPOOL) - goto nospace; - len -= SOF_SPOOL; - space += SOF_SPOOL; + spool = (struct cfg_spool *)buf; + space += sizeof(struct cfg_spool); /* - * The sctp nat does not allow the port numbers to be mapped to new port numbers - * Therefore, no ports are to be specified in the target port field + * The sctp nat does not allow the port numbers to + * be mapped to new port numbers. Therefore, no ports + * are to be specified in the target port field. */ if (r->proto == IPPROTO_SCTP) { if (strchr (sep, ':')) { @@ -548,11 +520,11 @@ "sctp, so do not specify them as " "part of the target"); } else { - StrToAddr(sep, &tmp->addr); - tmp->port = r->pport; + StrToAddr(sep, &spool->addr); + spool->port = r->pport; } } else { - if (StrToAddrAndPortRange(sep, &tmp->addr, + if (StrToAddrAndPortRange(sep, &spool->addr, protoName, &portRange) != 0) errx(EX_DATAERR, "redirect_port:" "invalid local port range"); @@ -560,88 +532,73 @@ errx(EX_DATAERR, "redirect_port: " "local port must be single in " "this context"); - tmp->port = GETLOPORT(portRange); + spool->port = GETLOPORT(portRange); } r->spool_cnt++; /* Point to the next possible cfg_spool. */ - spool_buf = &spool_buf[SOF_SPOOL]; + buf = &buf[sizeof(struct cfg_spool)]; sep = strtok(NULL, ","); } } + return (space); -nospace: - errx(EX_DATAERR, "redirect_port: buf is too small\n"); } static int -setup_redir_proto(char *spool_buf, unsigned int len, - int *_ac, char ***_av) +setup_redir_proto(char *buf, int *ac, char ***av) { - char **av; - int ac, space; + struct cfg_redir *r; struct protoent *protoent; - struct cfg_redir *r; + size_t space; - av = *_av; - ac = *_ac; - if (len >= SOF_REDIR) { - r = (struct cfg_redir *)spool_buf; - /* Skip cfg_redir at beginning of buf. */ - spool_buf = &spool_buf[SOF_REDIR]; - space = SOF_REDIR; - len -= SOF_REDIR; - } else - goto nospace; + r = (struct cfg_redir *)buf; r->mode = REDIR_PROTO; + /* Skip cfg_redir at beginning of buf. */ + buf = &buf[sizeof(struct cfg_redir)]; + space = sizeof(struct cfg_redir); + /* * Extract protocol. */ - if (ac == 0) - errx(EX_DATAERR, "redirect_proto: missing protocol"); - - protoent = getprotobyname(*av); + protoent = getprotobyname(**av); if (protoent == NULL) - errx(EX_DATAERR, "redirect_proto: unknown protocol %s", *av); + errx(EX_DATAERR, "redirect_proto: unknown protocol %s", **av); else r->proto = protoent->p_proto; - INC_ARGCV(); + (*av)++; (*ac)--; /* * Extract local address. */ - if (ac == 0) - errx(EX_DATAERR, "redirect_proto: missing local address"); - else - StrToAddr(*av, &r->laddr); + StrToAddr(**av, &r->laddr); - INC_ARGCV(); + (*av)++; (*ac)--; /* * Extract optional public address. */ - if (ac == 0) { + if (*ac == 0) { r->paddr.s_addr = INADDR_ANY; r->raddr.s_addr = INADDR_ANY; } else { /* see above in setup_redir_port() */ - if (!isalpha(**av)) { - StrToAddr(*av, &r->paddr); - INC_ARGCV(); + if (!isalpha(***av)) { + StrToAddr(**av, &r->paddr); + (*av)++; (*ac)--; /* * Extract optional remote address. */ /* see above in setup_redir_port() */ - if (ac!=0 && !isalpha(**av)) { - StrToAddr(*av, &r->raddr); - INC_ARGCV(); + if (*ac != 0 && !isalpha(***av)) { + StrToAddr(**av, &r->raddr); + (*av)++; (*ac)--; } } } + return (space); -nospace: - errx(EX_DATAERR, "redirect_proto: buf is too small\n"); } static void @@ -763,27 +720,76 @@ ipfw_config_nat(int ac, char **av) { struct cfg_nat *n; /* Nat instance configuration. */ - int i, len, off, tok; - char *id, buf[NAT_BUF_LEN]; /* Buffer for serialized data. */ + int i, off, tok, ac1; + char *id, *buf, **av1; + size_t len; - len = NAT_BUF_LEN; - /* Offset in buf: save space for n at the beginning. */ - off = sizeof(*n); - memset(buf, 0, sizeof(buf)); - n = (struct cfg_nat *)buf; - av++; ac--; /* Nat id. */ if (ac && isdigit(**av)) { id = *av; - i = atoi(*av); ac--; av++; - n->id = i; } else errx(EX_DATAERR, "missing nat id"); if (ac == 0) errx(EX_DATAERR, "missing option"); + len = sizeof(struct cfg_nat); + ac1 = ac; + av1 = av; + while (ac1 > 0) { + tok = match_token(nat_params, *av1); + ac1--; av1++; + switch (tok) { + case TOK_IP: + case TOK_IF: + ac1--; av1++; + break; + case TOK_ALOG: + case TOK_DENY_INC: + case TOK_SAME_PORTS: + case TOK_UNREG_ONLY: + case TOK_RESET_ADDR: + case TOK_ALIAS_REV: + case TOK_PROXY_ONLY: + break; + case TOK_REDIR_ADDR: + if (ac1 < 2) + errx(EX_DATAERR, "redirect_addr: " + "not enough arguments"); + len += estimate_redir_addr(&ac1, &av1); + av1 += 2; ac1 -= 2; + break; + case TOK_REDIR_PORT: + if (ac1 < 3) + errx(EX_DATAERR, "redirect_port: " + "not enough arguments"); + av1++; ac1--; + len += estimate_redir_port(&ac1, &av1); + av1 += 2; ac1 -= 2; + break; + case TOK_REDIR_PROTO: + if (ac1 < 2) + errx(EX_DATAERR, "redirect_proto: " + "not enough arguments"); + len += sizeof(struct cfg_redir); + av1 += 2; ac1 -= 2; + break; + default: + errx(EX_DATAERR, "unrecognised option ``%s''", av1[-1]); + } + } + + if ((buf = malloc(len)) == NULL) + errx(EX_OSERR, "malloc failed"); + + /* Offset in buf: save space for n at the beginning. */ + off = sizeof(*n); + memset(buf, 0, len); + n = (struct cfg_nat *)buf; + i = atoi(id); + n->id = i; + while (ac > 0) { tok = match_token(nat_params, *av); ac--; av++; @@ -832,21 +838,18 @@ case TOK_REDIR_PROTO: switch (tok) { case TOK_REDIR_ADDR: - i = setup_redir_addr(&buf[off], len, &ac, &av); + i = setup_redir_addr(&buf[off], &ac, &av); break; case TOK_REDIR_PORT: - i = setup_redir_port(&buf[off], len, &ac, &av); + i = setup_redir_port(&buf[off], &ac, &av); break; case TOK_REDIR_PROTO: - i = setup_redir_proto(&buf[off], len, &ac, &av); + i = setup_redir_proto(&buf[off], &ac, &av); break; } n->redir_cnt++; off += i; - len -= i; break; - default: - errx(EX_DATAERR, "unrecognised option ``%s''", av[-1]); } } --J/dobhs11T7y2rNN Content-Type: text/x-diff; charset=koi8-r Content-Disposition: attachment; filename="143653.netinet.diff" Index: ip_fw.h =================================================================== --- ip_fw.h (revision 220826) +++ ip_fw.h (working copy) @@ -383,8 +383,6 @@ }; #endif -#define NAT_BUF_LEN 1024 - #ifdef IPFW_INTERNAL /* Nat configuration data struct. */ struct cfg_nat { Index: ipfw/ip_fw_private.h =================================================================== --- ipfw/ip_fw_private.h (revision 220826) +++ ipfw/ip_fw_private.h (working copy) @@ -225,6 +225,7 @@ struct rwlock uh_lock; /* lock for upper half */ #endif uint32_t id; /* ruleset id */ + uint32_t gencnt; /* generation count */ }; struct sockopt; /* used by tcp_var.h */ Index: ipfw/ip_fw_nat.c =================================================================== --- ipfw/ip_fw_nat.c (revision 220826) +++ ipfw/ip_fw_nat.c (working copy) @@ -138,7 +138,7 @@ } } -static int +static void add_redir_spool_cfg(char *buf, struct cfg_nat *ptr) { struct cfg_redir *r, *ser_r; @@ -199,7 +199,6 @@ /* And finally hook this redir entry. */ LIST_INSERT_HEAD(&ptr->redir_chain, r, _next); } - return (1); } static int @@ -344,20 +343,28 @@ static int ipfw_nat_cfg(struct sockopt *sopt) { - struct cfg_nat *ptr, *ser_n; + struct cfg_nat *cfg, *ptr; char *buf; struct ip_fw_chain *chain = &V_layer3_chain; + int gencnt, len, error = 0; - buf = malloc(NAT_BUF_LEN, M_IPFW, M_WAITOK | M_ZERO); - sooptcopyin(sopt, buf, NAT_BUF_LEN, sizeof(struct cfg_nat)); - ser_n = (struct cfg_nat *)buf; + len = sopt->sopt_valsize; + buf = malloc(len, M_TEMP, M_WAITOK | M_ZERO); + if ((error = sooptcopyin(sopt, buf, len, sizeof(struct cfg_nat))) != 0) + goto out; - /* check valid parameter ser_n->id > 0 ? */ + cfg = (struct cfg_nat *)buf; + if (cfg->id < 0) { + error = EINVAL; + goto out; + } + /* * Find/create nat rule. */ IPFW_WLOCK(chain); - ptr = lookup_nat(&chain->nat, ser_n->id); + gencnt = chain->gencnt; + ptr = lookup_nat(&chain->nat, cfg->id); if (ptr == NULL) { IPFW_WUNLOCK(chain); /* New rule: allocate and init new instance. */ @@ -365,27 +372,27 @@ ptr->lib = LibAliasInit(NULL); LIST_INIT(&ptr->redir_chain); } else { - /* Entry already present: temporarly unhook it. */ + /* Entry already present: temporarily unhook it. */ LIST_REMOVE(ptr, _next); - flush_nat_ptrs(chain, ser_n->id); + flush_nat_ptrs(chain, cfg->id); IPFW_WUNLOCK(chain); } /* * Basic nat configuration. */ - ptr->id = ser_n->id; + ptr->id = cfg->id; /* * XXX - what if this rule doesn't nat any ip and just * redirect? * do we set aliasaddress to 0.0.0.0? */ - ptr->ip = ser_n->ip; - ptr->redir_cnt = ser_n->redir_cnt; - ptr->mode = ser_n->mode; - LibAliasSetMode(ptr->lib, ser_n->mode, ser_n->mode); + ptr->ip = cfg->ip; + ptr->redir_cnt = cfg->redir_cnt; + ptr->mode = cfg->mode; + LibAliasSetMode(ptr->lib, cfg->mode, cfg->mode); LibAliasSetAddress(ptr->lib, ptr->ip); - memcpy(ptr->if_name, ser_n->if_name, IF_NAMESIZE); + memcpy(ptr->if_name, cfg->if_name, IF_NAMESIZE); /* * Redir and LSNAT configuration. @@ -394,15 +401,19 @@ del_redir_spool_cfg(ptr, &ptr->redir_chain); /* Add new entries. */ add_redir_spool_cfg(&buf[(sizeof(struct cfg_nat))], ptr); - free(buf, M_IPFW); + IPFW_WLOCK(chain); - /* - * XXXGL race here: another ipfw_nat_cfg() may already inserted - * entry with the same ser_n->id. - */ + /* Extra check to avoid race with another ipfw_nat_cfg() */ + if (gencnt != chain->gencnt && + ((cfg = lookup_nat(&chain->nat, ptr->id)) != NULL)) + LIST_REMOVE(cfg, _next); LIST_INSERT_HEAD(&chain->nat, ptr, _next); + chain->gencnt++; IPFW_WUNLOCK(chain); - return (0); + +out: + free(buf, M_TEMP); + return (error); } static int @@ -432,52 +443,61 @@ static int ipfw_nat_get_cfg(struct sockopt *sopt) { - uint8_t *data; + struct ip_fw_chain *chain = &V_layer3_chain; struct cfg_nat *n; struct cfg_redir *r; struct cfg_spool *s; - int nat_cnt, off; - struct ip_fw_chain *chain; - int err = ENOSPC; + char *data; + int gencnt, nat_cnt, len, error; - chain = &V_layer3_chain; nat_cnt = 0; - off = sizeof(nat_cnt); + len = sizeof(nat_cnt); - data = malloc(NAT_BUF_LEN, M_IPFW, M_WAITOK | M_ZERO); IPFW_RLOCK(chain); - /* Serialize all the data. */ +retry: + gencnt = chain->gencnt; + /* Estimate memory amount */ LIST_FOREACH(n, &chain->nat, _next) { nat_cnt++; - if (off + SOF_NAT >= NAT_BUF_LEN) - goto nospace; - bcopy(n, &data[off], SOF_NAT); - off += SOF_NAT; + len += sizeof(struct cfg_nat); LIST_FOREACH(r, &n->redir_chain, _next) { - if (off + SOF_REDIR >= NAT_BUF_LEN) - goto nospace; - bcopy(r, &data[off], SOF_REDIR); - off += SOF_REDIR; + len += sizeof(struct cfg_redir); + LIST_FOREACH(s, &r->spool_chain, _next) + len += sizeof(struct cfg_spool); + } + } + IPFW_RUNLOCK(chain); + + data = malloc(len, M_TEMP, M_WAITOK | M_ZERO); + bcopy(&nat_cnt, data, sizeof(nat_cnt)); + + nat_cnt = 0; + len = sizeof(nat_cnt); + + IPFW_RLOCK(chain); + if (gencnt != chain->gencnt) { + free(data, M_TEMP); + goto retry; + } + /* Serialize all the data. */ + LIST_FOREACH(n, &chain->nat, _next) { + bcopy(n, &data[len], sizeof(struct cfg_nat)); + len += sizeof(struct cfg_nat); + LIST_FOREACH(r, &n->redir_chain, _next) { + bcopy(r, &data[len], sizeof(struct cfg_redir)); + len += sizeof(struct cfg_redir); LIST_FOREACH(s, &r->spool_chain, _next) { - if (off + SOF_SPOOL >= NAT_BUF_LEN) - goto nospace; - bcopy(s, &data[off], SOF_SPOOL); - off += SOF_SPOOL; + bcopy(s, &data[len], sizeof(struct cfg_spool)); + len += sizeof(struct cfg_spool); } } } - err = 0; /* all good */ -nospace: IPFW_RUNLOCK(chain); - if (err == 0) { - bcopy(&nat_cnt, data, sizeof(nat_cnt)); - sooptcopyout(sopt, data, NAT_BUF_LEN); - } else { - printf("serialized data buffer not big enough:" - "please increase NAT_BUF_LEN\n"); - } - free(data, M_IPFW); - return (err); + + error = sooptcopyout(sopt, data, len); + free(data, M_TEMP); + + return (error); } static int --J/dobhs11T7y2rNN-- From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 19 15:09:51 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66AE51065674; Tue, 19 Apr 2011 15:09:51 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3D2478FC1C; Tue, 19 Apr 2011 15:09:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3JF9p9b057429; Tue, 19 Apr 2011 15:09:51 GMT (envelope-from glebius@freefall.freebsd.org) Received: (from glebius@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3JF9oFt057425; Tue, 19 Apr 2011 15:09:50 GMT (envelope-from glebius) Date: Tue, 19 Apr 2011 15:09:50 GMT Message-Id: <201104191509.p3JF9oFt057425@freefall.freebsd.org> To: dima_bsd@inbox.lv, glebius@FreeBSD.org, freebsd-ipfw@FreeBSD.org, glebius@FreeBSD.org From: glebius@FreeBSD.org Cc: Subject: Re: kern/143653: [ipfw] [patch] ipfw nat redirect_port "buf is too small" error X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2011 15:09:51 -0000 Synopsis: [ipfw] [patch] ipfw nat redirect_port "buf is too small" error State-Changed-From-To: open->patched State-Changed-By: glebius State-Changed-When: Tue Apr 19 15:09:27 UTC 2011 State-Changed-Why: Fixed in head/. Responsible-Changed-From-To: freebsd-ipfw->glebius Responsible-Changed-By: glebius Responsible-Changed-When: Tue Apr 19 15:09:27 UTC 2011 Responsible-Changed-Why: Fixed in head/. http://www.freebsd.org/cgi/query-pr.cgi?pr=143653 From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 20 12:36:58 2011 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F2E3106566B; Wed, 20 Apr 2011 12:36:58 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id 1DD648FC1C; Wed, 20 Apr 2011 12:36:58 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (89.112.15.178.pppoe.eltel.net [89.112.15.178]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 81DC84AC42; Wed, 20 Apr 2011 16:36:56 +0400 (MSD) Date: Wed, 20 Apr 2011 16:36:55 +0400 From: Lev Serebryakov Organization: FreeBSD X-Priority: 3 (Normal) Message-ID: <1117238404.20110420163655@serebryakov.spb.ru> To: bug-followup@FreeBSD.org, seh-10lzx4@mail.quadrizen.com MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@FreeBSD.org, freebsd-net@freebsd.org Subject: Re: bin/104921: [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (another variation on PR 91245) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: lev@FreeBSD.org List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2011 12:36:58 -0000 Hello, Bug-followup. It is still valid for 8.2-STABLE: gateway# ipfw add 50000 allow ipv6-icmp from any to 2001:470:1f09:hhhh::/64= ,2001:470:hhhh:1::/64,2001:470:hhhh:2::/64 icmp6types 1,2,3,4,128,129 keep-= state ipfw: bad netmask ``470:1f09:hhhh::/64'' gateway# uname -a FreeBSD gateway.home.serebryakov.spb.ru 8.2-STABLE FreeBSD 8.2-STABLE #0: F= ri Apr 15 16:57:44 MSD 2011 lev@vmware-8-32.home.serebryakov.spb.ru:/us= r/obj/nanobsd.gateway-net5501/usr/src/sys/NET5501 i386 It is very annoying bug, because "allow" rule can be divided into one-rule-per-network, but "deny ... NOT IPv6,IPv6,..." is hard to emulate (with multiple skipto rules). --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 20 12:40:10 2011 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F782106566C for ; Wed, 20 Apr 2011 12:40:10 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6E77A8FC0C for ; Wed, 20 Apr 2011 12:40:10 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3KCeAJN059250 for ; Wed, 20 Apr 2011 12:40:10 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3KCeAeA059249; Wed, 20 Apr 2011 12:40:10 GMT (envelope-from gnats) Date: Wed, 20 Apr 2011 12:40:10 GMT Message-Id: <201104201240.p3KCeAeA059249@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Lev Serebryakov Cc: Subject: Re: bin/104921: [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (another variation on PR 91245) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Lev Serebryakov List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Apr 2011 12:40:10 -0000 The following reply was made to PR bin/104921; it has been noted by GNATS. From: Lev Serebryakov To: bug-followup@FreeBSD.org, seh-10lzx4@mail.quadrizen.com Cc: freebsd-ipfw@FreeBSD.org, freebsd-net@freebsd.org Subject: Re: bin/104921: [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (another variation on PR 91245) Date: Wed, 20 Apr 2011 16:36:55 +0400 Hello, Bug-followup. It is still valid for 8.2-STABLE: gateway# ipfw add 50000 allow ipv6-icmp from any to 2001:470:1f09:hhhh::/64= ,2001:470:hhhh:1::/64,2001:470:hhhh:2::/64 icmp6types 1,2,3,4,128,129 keep-= state ipfw: bad netmask ``470:1f09:hhhh::/64'' gateway# uname -a FreeBSD gateway.home.serebryakov.spb.ru 8.2-STABLE FreeBSD 8.2-STABLE #0: F= ri Apr 15 16:57:44 MSD 2011 lev@vmware-8-32.home.serebryakov.spb.ru:/us= r/obj/nanobsd.gateway-net5501/usr/src/sys/NET5501 i386 It is very annoying bug, because "allow" rule can be divided into one-rule-per-network, but "deny ... NOT IPv6,IPv6,..." is hard to emulate (with multiple skipto rules). --=20 // Black Lion AKA Lev Serebryakov