From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 23 08:35:58 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 60F10106566B for ; Mon, 23 Apr 2012 08:35:58 +0000 (UTC) (envelope-from astraserg@gmail.com) Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx1.freebsd.org (Postfix) with ESMTP id 394148FC08 for ; Mon, 23 Apr 2012 08:35:58 +0000 (UTC) Received: by dadz14 with SMTP id z14so49611827dad.17 for ; Mon, 23 Apr 2012 01:35:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=qUnlD4GuMMMWUdpXBF3TKhC8S6s4fknrC+20TNeHsV0=; b=UTI2Vg5FYDqrgk8dxcBI4dRlGz/ItFMMlJBIXrA+R/PL/1JBAHe9NtXckivgpA58q4 f5J92gCuULPaj6qi/vSf3zLiyD68Bc+rQ/Yc+ZRYk4dWlRLUYP/+7OgJWG71amqnO9ZY qleOgLfUwBs02dHbD/kvgIEM/TN+krnwm6M3LgFiJW/JuGJeqJOYbig6ngg+xqSKMzdP QdT1id+Dbs+5/h34BJpK+7s0JLnjNa3qg+I08A6e8g1o9Vq52UMd5lO+i7upo0pj6SvA jLh0BJ1RxhilB05GdaWEzkXhxxa2gmunfEpTCe6d1rhWsbmXoAFaT4+Ita1b+mydeGF3 Blnw== Received: by 10.68.221.162 with SMTP id qf2mr1248128pbc.57.1335170157832; Mon, 23 Apr 2012 01:35:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.131.3 with HTTP; Mon, 23 Apr 2012 01:35:37 -0700 (PDT) From: Sergey Yaroshevskiy Date: Mon, 23 Apr 2012 12:35:37 +0400 Message-ID: To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: dummynet warnings X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Apr 2012 08:35:58 -0000 Hello I've got some warnings from my freebsd 9 box: ... Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65612 have 92 need 96 Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65612 have 60 need 96 Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65612 have 92 need 96 Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65614 have 92 need 96 Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65614 have 60 need 96 Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65615 have 92 need 96 ... This box is configured as bridge and it's mine function is piping users. Googling sent me to source of netinet/ipfw/ip_dummynet.c (lines 800-802) http://www.leidinger.net/FreeBSD/dox/netinet/html/dc/d3a/ip__dummynet_8c_source.html but i did not understand how to fix this problem About my system: pipe# uname -a FreeBSD pipe.xxxx.ru 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Mar 13 11:50:00 MSK 2012 /usr/obj/usr/src/sys/GENERIC amd64 pipe# cat /etc/sysctl.conf net.inet.ip.fw.one_pass=1 net.inet.tcp.tso=0 net.inet.udp.checksum=0 net.inet.ip.fastforwarding=1 net.inet.ip.redirect=0 net.inet.icmp.drop_redirect=1 net.inet.ip.fw.dyn_max=131072 net.inet.ip.fw.dyn_ack_lifetime=200 net.inet.ip.fw.dyn_buckets=131072 net.inet.ip.fw.dyn_syn_lifetime=10 net.inet.ip.fw.dyn_fin_lifetime=2 net.inet.ip.fw.dyn_short_lifetime=10 net.inet.ip.fw.verbose=0 net.link.ether.ipfw=1 net.link.bridge.ipfw=1 net.link.bridge.inherit_mac=1 net.link.bridge.pfil_onlyip=1 #net.link.bridge.pfil_member=1 #net.link.bridge.pfil_bridge=1 net.link.bridge.ipfw_arp=0 net.inet.ip.fw.enable=0 net.inet.ip.dummynet.io_fast=1 net.inet.ip.dummynet.hash_size=2048 net.inet.ip.dummynet.expire=1 pipe# cat /boot/loader.conf autoboot_delay="2" net.inet.ip.fw.default_to_accept=1 dummynet_load="YES" ipfw_load="YES" if_bridge_load="YES" bridgestp_load="YES" net.link.ether.ipfw=1 net.link.bridge.ipfw=1 From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 23 11:07:18 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A311106566B for ; Mon, 23 Apr 2012 11:07:18 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 533DE8FC1E for ; Mon, 23 Apr 2012 11:07:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q3NB7IK4047609 for ; Mon, 23 Apr 2012 11:07:18 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q3NB7Hpt047607 for freebsd-ipfw@FreeBSD.org; Mon, 23 Apr 2012 11:07:17 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 23 Apr 2012 11:07:17 GMT Message-Id: <201204231107.q3NB7Hpt047607@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Apr 2012 11:07:18 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking f kern/163873 ipfw [ipfw] ipfw fwd does not work with 'via interface' in o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157796 ipfw [ipfw] IPFW in-kernel NAT nat loopback / Default Route o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int o kern/156770 ipfw [ipfw] [dummynet] [patch]: performance improvement and f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148689 ipfw [ipfw] antispoof wrongly triggers on link local IPv6 a o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. o kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n p kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 43 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 24 07:14:26 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C7CA3106564A for ; Tue, 24 Apr 2012 07:14:26 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 84E108FC0A for ; Tue, 24 Apr 2012 07:14:26 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 09C907300A; Tue, 24 Apr 2012 09:34:04 +0200 (CEST) Date: Tue, 24 Apr 2012 09:34:04 +0200 From: Luigi Rizzo To: Sergey Yaroshevskiy Message-ID: <20120424073404.GB56111@onelab2.iet.unipi.it> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet warnings X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2012 07:14:26 -0000 On Mon, Apr 23, 2012 at 12:35:37PM +0400, Sergey Yaroshevskiy wrote: > Hello > > I've got some warnings from my freebsd 9 box: > > ... > Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65612 have 92 need 96 > Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65612 have 60 need 96 > Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65612 have 92 need 96 > Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65614 have 92 need 96 > Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65614 have 60 need 96 > Apr 23 12:06:10 pipe kernel: copy_obj (WARN) type 4 inst 65615 have 92 need 96 > ... > > This box is configured as bridge and it's mine function is piping users. > Googling sent me to source of netinet/ipfw/ip_dummynet.c (lines 800-802) > http://www.leidinger.net/FreeBSD/dox/netinet/html/dc/d3a/ip__dummynet_8c_source.html > but i did not understand how to fix this problem looks like a mismatch between kernel and userland. Maybe you have a 32-bit sbin/ipfw and 64-bit kernel, What are the pipe configurations that generate these warnings ? cheers luigi > About my system: > > pipe# uname -a > FreeBSD pipe.xxxx.ru 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Mar 13 > 11:50:00 MSK 2012 /usr/obj/usr/src/sys/GENERIC amd64 > > pipe# cat /etc/sysctl.conf > net.inet.ip.fw.one_pass=1 > net.inet.tcp.tso=0 > > net.inet.udp.checksum=0 > > net.inet.ip.fastforwarding=1 > net.inet.ip.redirect=0 > net.inet.icmp.drop_redirect=1 > > net.inet.ip.fw.dyn_max=131072 > net.inet.ip.fw.dyn_ack_lifetime=200 > net.inet.ip.fw.dyn_buckets=131072 > net.inet.ip.fw.dyn_syn_lifetime=10 > net.inet.ip.fw.dyn_fin_lifetime=2 > net.inet.ip.fw.dyn_short_lifetime=10 > > net.inet.ip.fw.verbose=0 > > net.link.ether.ipfw=1 > > net.link.bridge.ipfw=1 > net.link.bridge.inherit_mac=1 > net.link.bridge.pfil_onlyip=1 > #net.link.bridge.pfil_member=1 > #net.link.bridge.pfil_bridge=1 > net.link.bridge.ipfw_arp=0 > > net.inet.ip.fw.enable=0 > > net.inet.ip.dummynet.io_fast=1 > > net.inet.ip.dummynet.hash_size=2048 > net.inet.ip.dummynet.expire=1 > > pipe# cat /boot/loader.conf > autoboot_delay="2" > > net.inet.ip.fw.default_to_accept=1 > > dummynet_load="YES" > ipfw_load="YES" > if_bridge_load="YES" > bridgestp_load="YES" > > net.link.ether.ipfw=1 > net.link.bridge.ipfw=1 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 24 15:26:45 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 88FDE1065673 for ; Tue, 24 Apr 2012 15:26:45 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper-int.allbsd.org [IPv6:2001:2f0:104:e002::2]) by mx1.freebsd.org (Postfix) with ESMTP id E6C808FC1D for ; Tue, 24 Apr 2012 15:26:44 +0000 (UTC) Received: from alph.allbsd.org (p4242-ipbf1504funabasi.chiba.ocn.ne.jp [118.7.211.242]) (authenticated bits=128) by mail.allbsd.org (8.14.4/8.14.4) with ESMTP id q3OFQMHw055601 for ; Wed, 25 Apr 2012 00:26:32 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.allbsd.org (8.14.4/8.14.4) with ESMTP id q3OFQMb9078610 for ; Wed, 25 Apr 2012 00:26:22 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Wed, 25 Apr 2012 00:26:00 +0900 (JST) Message-Id: <20120425.002600.1631867625819249738.hrs@allbsd.org> To: freebsd-ipfw@FreeBSD.org From: Hiroki Sato X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.4.50 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Wed_Apr_25_00_26_00_2012_958)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.3 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (mail.allbsd.org [133.31.130.32]); Wed, 25 Apr 2012 00:26:38 +0900 (JST) X-Spam-Status: No, score=-103.6 required=13.0 tests=BAYES_00, CONTENT_TYPE_PRESENT,FAKEDWORD_ZERO,RCVD_IN_RP_RNBL,SPF_SOFTFAIL, USER_IN_WHITELIST autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on gatekeeper.allbsd.org Cc: Subject: CFR: ipfw0 pseudo-interface clonable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2012 15:26:45 -0000 ----Security_Multipart0(Wed_Apr_25_00_26_00_2012_958)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Wed_Apr_25_00_26_00_2012_602)--" Content-Transfer-Encoding: 7bit ----Next_Part(Wed_Apr_25_00_26_00_2012_602)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, I created the attached patch to make the current ipfw0 pseudo-interface clonable. The functionality of ipfw0 logging interface is not changed by this patch, but the ipfw0 pseudo-interface is not created by default and can be created with the following command: # ifconfig ipfw0 create Any objection to commit this patch? The primary motivation for this change is that presence of the interface by default increases size of the interface list, which is returned by NET_RT_IFLIST sysctl even when the sysadmin does not need it. Also this pseudo-interface can confuse the sysadmin and/or network-related userland utilities like SNMP agent. With this patch, one can use ifconfig(8) to create/destroy the pseudo-interface as necessary. -- Hiroki ----Next_Part(Wed_Apr_25_00_26_00_2012_602)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw_clone_interface.20120421-1.diff" Index: sys/netinet/ipfw/ip_fw_log.c =================================================================== --- sys/netinet/ipfw/ip_fw_log.c (revision 234428) +++ sys/netinet/ipfw/ip_fw_log.c (working copy) @@ -46,6 +46,7 @@ __FBSDID("$FreeBSD$"); #include #include /* for ETHERTYPE_IP */ #include +#include #include #include /* for IFT_ETHER */ #include /* for BPF */ @@ -89,8 +90,11 @@ ipfw_log_bpf(int onoff) { } #else /* !WITHOUT_BPF */ +static struct mtx log_if_mtx; static struct ifnet *log_if; /* hook to attach to bpf */ +#define IPFWNAME "ipfw" + /* we use this dummy function for all ifnet callbacks */ static int log_dummy(struct ifnet *ifp, u_long cmd, caddr_t addr) @@ -116,39 +120,106 @@ ipfw_log_start(struct ifnet* ifp) static const u_char ipfwbroadcastaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; -void -ipfw_log_bpf(int onoff) +static int +ipfw_log_clone_match(struct if_clone *ifc, const char *name) { + + return (strncmp(name, IPFWNAME, sizeof(IPFWNAME) - 1) == 0); +} + +static int +ipfw_log_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params) +{ + int error; + int unit; struct ifnet *ifp; - if (onoff) { - if (log_if) - return; - ifp = if_alloc(IFT_ETHER); - if (ifp == NULL) - return; - if_initname(ifp, "ipfw", 0); - ifp->if_mtu = 65536; - ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; - ifp->if_init = (void *)log_dummy; - ifp->if_ioctl = log_dummy; - ifp->if_start = ipfw_log_start; - ifp->if_output = ipfw_log_output; - ifp->if_addrlen = 6; - ifp->if_hdrlen = 14; - if_attach(ifp); - ifp->if_broadcastaddr = ipfwbroadcastaddr; - ifp->if_baudrate = IF_Mbps(10); - bpfattach(ifp, DLT_EN10MB, 14); + error = ifc_name2unit(name, &unit); + if (error) + return (error); + + error = ifc_alloc_unit(ifc, &unit); + if (error) + return (error); + + ifp = if_alloc(IFT_ETHER); + if (ifp == NULL) { + ifc_free_unit(ifc, unit); + return (ENOSPC); + } + ifp->if_dname = IPFWNAME; + ifp->if_dunit = unit; + snprintf(ifp->if_xname, IFNAMSIZ, "%s%d", IPFWNAME, unit); + strlcpy(name, ifp->if_xname, len); + ifp->if_mtu = 65536; + ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; + ifp->if_init = (void *)log_dummy; + ifp->if_ioctl = log_dummy; + ifp->if_start = ipfw_log_start; + ifp->if_output = ipfw_log_output; + ifp->if_addrlen = 6; + ifp->if_hdrlen = 14; + ifp->if_broadcastaddr = ipfwbroadcastaddr; + ifp->if_baudrate = IF_Mbps(10); + + mtx_lock(&log_if_mtx); + if (log_if == NULL) { log_if = ifp; + mtx_unlock(&log_if_mtx); } else { - if (log_if) { - ether_ifdetach(log_if); - if_free(log_if); - } + mtx_unlock(&log_if_mtx); + if_free(ifp); + ifc_free_unit(ifc, unit); + return (EEXIST); + } + if_attach(ifp); + bpfattach(ifp, DLT_EN10MB, 14); + + return (0); +} + +static int +ipfw_log_clone_destroy(struct if_clone *ifc, struct ifnet *ifp) +{ + int unit; + + if (ifp == NULL) + return (0); + + mtx_lock(&log_if_mtx); + if (log_if != NULL && ifp == log_if) log_if = NULL; + else { + mtx_unlock(&log_if_mtx); + return (EINVAL); } + mtx_unlock(&log_if_mtx); + + unit = ifp->if_dunit; + bpfdetach(ifp); + if_detach(ifp); + if_free(ifp); + ifc_free_unit(ifc, unit); + + return (0); } + +static struct if_clone ipfw_log_cloner = IFC_CLONE_INITIALIZER( + IPFWNAME, NULL, IF_MAXUNIT, + NULL, ipfw_log_clone_match, ipfw_log_clone_create, ipfw_log_clone_destroy); + +void +ipfw_log_bpf(int onoff) +{ + + if (onoff) { + mtx_init(&log_if_mtx, "ipfw log_if mtx", NULL, 0); + if_clone_attach(&ipfw_log_cloner); + } else { + if_clone_detach(&ipfw_log_cloner); + mtx_destroy(&log_if_mtx); + } +} #endif /* !WITHOUT_BPF */ /* ----Next_Part(Wed_Apr_25_00_26_00_2012_602)---- ----Security_Multipart0(Wed_Apr_25_00_26_00_2012_958)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAk+WxggACgkQTyzT2CeTzy2e3ACggqHzMzIW8AQHrVq2L7wPrF3V ZnMAn19hiyq9/J1gmQv/KqDhYrD6EJ4d =nevM -----END PGP SIGNATURE----- ----Security_Multipart0(Wed_Apr_25_00_26_00_2012_958)---- From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 24 16:18:27 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 39F25106567B; Tue, 24 Apr 2012 16:18:27 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from dhcp170-36-red.yandex.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with ESMTP id 51D2816423E; Tue, 24 Apr 2012 16:17:35 +0000 (UTC) Message-ID: <4F96D11B.2060007@FreeBSD.org> Date: Tue, 24 Apr 2012 20:13:15 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111117 Thunderbird/8.0 MIME-Version: 1.0 To: Hiroki Sato References: <20120425.002600.1631867625819249738.hrs@allbsd.org> In-Reply-To: <20120425.002600.1631867625819249738.hrs@allbsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org Subject: Re: CFR: ipfw0 pseudo-interface clonable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2012 16:18:27 -0000 On 24.04.2012 19:26, Hiroki Sato wrote: > Hi, > > I created the attached patch to make the current ipfw0 > pseudo-interface clonable. The functionality of ipfw0 logging > interface is not changed by this patch, but the ipfw0 > pseudo-interface is not created by default and can be created with > the following command: > > # ifconfig ipfw0 create > > Any objection to commit this patch? The primary motivation for this > change is that presence of the interface by default increases size of > the interface list, which is returned by NET_RT_IFLIST sysctl even > when the sysadmin does not need it. Also this pseudo-interface can > confuse the sysadmin and/or network-related userland utilities like > SNMP agent. With this patch, one can use ifconfig(8) to > create/destroy the pseudo-interface as necessary. ipfw_log() log_if usage is not protected, so it is possible to trigger use-after-free. Maybe it is better to have some interface flag which makes NET_RT_IFLIST skip given interface ? > > -- Hiroki -- WBR, Alexander From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 24 17:08:31 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B62E11065673; Tue, 24 Apr 2012 17:08:31 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper-int.allbsd.org [IPv6:2001:2f0:104:e002::2]) by mx1.freebsd.org (Postfix) with ESMTP id B571B8FC08; Tue, 24 Apr 2012 17:08:30 +0000 (UTC) Received: from alph.allbsd.org (p4242-ipbf1504funabasi.chiba.ocn.ne.jp [118.7.211.242]) (authenticated bits=128) by mail.allbsd.org (8.14.4/8.14.4) with ESMTP id q3OH8791071631; Wed, 25 Apr 2012 02:08:17 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.allbsd.org (8.14.4/8.14.4) with ESMTP id q3OH85an081099; Wed, 25 Apr 2012 02:08:06 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Wed, 25 Apr 2012 02:05:18 +0900 (JST) Message-Id: <20120425.020518.406495893112283552.hrs@allbsd.org> To: melifaro@FreeBSD.org From: Hiroki Sato In-Reply-To: <4F96D11B.2060007@FreeBSD.org> References: <20120425.002600.1631867625819249738.hrs@allbsd.org> <4F96D11B.2060007@FreeBSD.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.4.50 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart(Wed_Apr_25_02_05_18_2012_022)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.3 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (mail.allbsd.org [133.31.130.32]); Wed, 25 Apr 2012 02:08:22 +0900 (JST) X-Spam-Status: No, score=-104.1 required=13.0 tests=BAYES_00, CONTENT_TYPE_PRESENT,RCVD_IN_RP_RNBL,SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on gatekeeper.allbsd.org Cc: freebsd-ipfw@FreeBSD.org Subject: Re: CFR: ipfw0 pseudo-interface clonable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2012 17:08:31 -0000 ----Security_Multipart(Wed_Apr_25_02_05_18_2012_022)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Alexander V. Chernikov" wrote in <4F96D11B.2060007@FreeBSD.org>: me> On 24.04.2012 19:26, Hiroki Sato wrote: me> > Hi, me> > me> > I created the attached patch to make the current ipfw0 me> > pseudo-interface clonable. The functionality of ipfw0 logging me> > interface is not changed by this patch, but the ipfw0 me> > pseudo-interface is not created by default and can be created with me> > the following command: me> > me> > # ifconfig ipfw0 create me> > me> > Any objection to commit this patch? The primary motivation for this me> > change is that presence of the interface by default increases size of me> > the interface list, which is returned by NET_RT_IFLIST sysctl even me> > when the sysadmin does not need it. Also this pseudo-interface can me> > confuse the sysadmin and/or network-related userland utilities like me> > SNMP agent. With this patch, one can use ifconfig(8) to me> > create/destroy the pseudo-interface as necessary. me> me> ipfw_log() log_if usage is not protected, so it is possible to trigger me> use-after-free. Ah, right. I will revise lock handling and resubmit the patch. me> Maybe it is better to have some interface flag which makes me> NET_RT_IFLIST skip given interface ? I do not think so. NET_RT_IFLIST should be able to list all of the interfaces because it is the purpose. -- Hiroki ----Security_Multipart(Wed_Apr_25_02_05_18_2012_022)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAk+W3U4ACgkQTyzT2CeTzy1MVwCg002/CC3exS/5x5J0SZhMxVa7 hyYAnAu6FxSVmmR/XgxlrFYnJbNkNw15 =0+BW -----END PGP SIGNATURE----- ----Security_Multipart(Wed_Apr_25_02_05_18_2012_022)---- From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 24 17:35:10 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D197D1065670 for ; Tue, 24 Apr 2012 17:35:10 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id DC8018FC17 for ; Tue, 24 Apr 2012 17:35:03 +0000 (UTC) Received: by yhgm50 with SMTP id m50so713782yhg.13 for ; Tue, 24 Apr 2012 10:34:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=R665VSWxbPqillGeo9Lai62+HjItZ9wLGfNa2RkAWIA=; b=eTb/4UTuP83veD3ZjYvdP7EtWM7FeBOyelWxAShQy/9Ebp/IxARLLU0rCQf17uyMhr DTKg17y7WqUjbE03dOLHOgDDCQ1MEubSVuapA1gye0rXqcmzxF8/Qf1jbnxVsmTCE3SE W2Ldqo98zeyvk6KKxHSYD6klsL5g0SSChX8tOgOR3VuPrHjv98hYPP6EmM7TM7yjkZkM EvLEdLuSl4e7EZdIqYfAu5o2BonhXqxItfeRO12hEsbjFiE2Sr246QYFGNPz9JHnONe5 Gifhk+y0fUi4KfJ3DqAanKPvFf+B8/mdbSktvljliOoFhTtLxrpZupuMpFE2txzSEfsk lTXQ== MIME-Version: 1.0 Received: by 10.236.37.168 with SMTP id y28mr12931605yha.111.1335288897375; Tue, 24 Apr 2012 10:34:57 -0700 (PDT) Received: by 10.236.18.135 with HTTP; Tue, 24 Apr 2012 10:34:57 -0700 (PDT) In-Reply-To: <20120425.020518.406495893112283552.hrs@allbsd.org> References: <20120425.002600.1631867625819249738.hrs@allbsd.org> <4F96D11B.2060007@FreeBSD.org> <20120425.020518.406495893112283552.hrs@allbsd.org> Date: Tue, 24 Apr 2012 10:34:57 -0700 Message-ID: From: Michael Sierchio To: Hiroki Sato X-Gm-Message-State: ALoCoQmOvFhXwxSi8vcQbhJaXLTQhEkC0oY2r6sN00jNnbglWGAG+gztFXYGjnUkj7o6bZyR8wAb Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org, melifaro@freebsd.org Subject: Re: CFR: ipfw0 pseudo-interface clonable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2012 17:35:10 -0000 On Tue, Apr 24, 2012 at 10:05 AM, Hiroki Sato wrote: A man page for the ipfw pseudo-interface would be welcome. - M From owner-freebsd-ipfw@FreeBSD.ORG Tue Apr 24 17:52:08 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by hub.freebsd.org (Postfix) with ESMTP id C00A71065676; Tue, 24 Apr 2012 17:52:08 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from dhcp170-36-red.yandex.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with ESMTP id 2361117B7BD; Tue, 24 Apr 2012 17:51:26 +0000 (UTC) Message-ID: <4F96E71B.9020405@FreeBSD.org> Date: Tue, 24 Apr 2012 21:47:07 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111117 Thunderbird/8.0 MIME-Version: 1.0 To: Hiroki Sato References: <20120425.002600.1631867625819249738.hrs@allbsd.org> <4F96D11B.2060007@FreeBSD.org> <20120425.020518.406495893112283552.hrs@allbsd.org> In-Reply-To: <20120425.020518.406495893112283552.hrs@allbsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@FreeBSD.org Subject: Re: CFR: ipfw0 pseudo-interface clonable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2012 17:52:08 -0000 On 24.04.2012 21:05, Hiroki Sato wrote: > "Alexander V. Chernikov" wrote > in<4F96D11B.2060007@FreeBSD.org>: > > me> On 24.04.2012 19:26, Hiroki Sato wrote: > me> > Hi, > me> > > me> > I created the attached patch to make the current ipfw0 > me> > pseudo-interface clonable. The functionality of ipfw0 logging > me> > interface is not changed by this patch, but the ipfw0 > me> > pseudo-interface is not created by default and can be created with > me> > the following command: > me> > > me> > # ifconfig ipfw0 create > me> > > me> > Any objection to commit this patch? The primary motivation for this > me> > change is that presence of the interface by default increases size of > me> > the interface list, which is returned by NET_RT_IFLIST sysctl even > me> > when the sysadmin does not need it. Also this pseudo-interface can > me> > confuse the sysadmin and/or network-related userland utilities like > me> > SNMP agent. With this patch, one can use ifconfig(8) to > me> > create/destroy the pseudo-interface as necessary. > me> > me> ipfw_log() log_if usage is not protected, so it is possible to trigger > me> use-after-free. > > Ah, right. I will revise lock handling and resubmit the patch. > > me> Maybe it is better to have some interface flag which makes > me> NET_RT_IFLIST skip given interface ? > > I do not think so. NET_RT_IFLIST should be able to list all of the > interfaces because it is the purpose. Okay, another try (afair already discussed somewhere): Do we really need all BPF providers to have ifnets? It seems that removing all bp_bif depends from BPF code is not so hard task. > > -- Hiroki -- WBR, Alexander From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 25 07:24:22 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 509691065673 for ; Wed, 25 Apr 2012 07:24:22 +0000 (UTC) (envelope-from astraserg@gmail.com) Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx1.freebsd.org (Postfix) with ESMTP id 245818FC16 for ; Wed, 25 Apr 2012 07:24:22 +0000 (UTC) Received: by dadz14 with SMTP id z14so5969594dad.17 for ; Wed, 25 Apr 2012 00:24:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=AJJVyLiDArOLnMcAyP3r5RMxcWV0N2GibbMLoFScg+w=; b=jxBRD24PVepWkEsta9Kcikvb37IM4hk0Ck5pRPGAwdmxhfXgWri5iyWYr+avpzmScv upybGcsO1vPo+ayktlo3vVUQmtCUVMYaw470HhrXRwI9U19hc+VR+IROnUljuCpIVNI/ hRklyIfiV3Qkc8GIWlEZpQcvamyRji9OykftErxGOWzbR5bwLNE/fVQzkhztsgfmLs40 ftRevY6mSFKSxoPJmfJpa++C6gAiQt7+iHti4bzK6XDSzNms5yUEr82YiRPpSjfvM+dd H23qGpr6JBMNaOO7O0HehDiUc0x5hCacCnR/xB7NMSOuUPE8o0Bkr2D3cp0U1G4u2zUQ h5bQ== Received: by 10.68.229.200 with SMTP id ss8mr5513809pbc.57.1335338661658; Wed, 25 Apr 2012 00:24:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.131.3 with HTTP; Wed, 25 Apr 2012 00:24:01 -0700 (PDT) In-Reply-To: <20120424073404.GB56111@onelab2.iet.unipi.it> References: <20120424073404.GB56111@onelab2.iet.unipi.it> From: Sergey Yaroshevskiy Date: Wed, 25 Apr 2012 11:24:01 +0400 Message-ID: To: Luigi Rizzo Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: dummynet warnings X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Apr 2012 07:24:22 -0000 Hi Luigi Kernel and ipfw are both 64-bit: pipe# file /sbin/ipfw /sbin/ipfw: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 9.0 (900044), stripped pipe# uname -a FreeBSD pipe.xxx.ru 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Mar 13 11:50:00 MSK 2012 xxx@xxxx:/usr/obj/usr/src/sys/GENERIC amd64 pipe# pipes configured like this: ipfw pipe 15 config bw 77000Kbit/s queue 100 mask src-ip 0xffffffff gred 0.002/80/240/0.1 ipfw pipe 65 config bw 110000Kbit/s queue 100 mask dst-ip 0xffffffff gred 0.002/80/240/0.1 ipfw pipe 26 config bw 23100Kbit/s queue 100 mask src-ip 0xffffffff gred 0.002/80/240/0.1 ... quantity - 22 System was installed clearly, from CD. 24 =C1=D0=D2=C5=CC=D1 2012=9A=C7. 11:34 =D0=CF=CC=D8=DA=CF=D7=C1=D4=C5=CC= =D8 Luigi Rizzo =CE=C1=D0=C9=D3=C1=CC: > On Mon, Apr 23, 2012 at 12:35:37PM +0400, Sergey Yaroshevskiy wrote: >> Hello >> >> I've got some warnings from my freebsd 9 box: >> >> ... >> Apr 23 12:06:10 pipe kernel: copy_obj =9A (WARN) type 4 inst 65612 have = 92 need 96 >> Apr 23 12:06:10 pipe kernel: copy_obj =9A (WARN) type 4 inst 65612 have = 60 need 96 >> Apr 23 12:06:10 pipe kernel: copy_obj =9A (WARN) type 4 inst 65612 have = 92 need 96 >> Apr 23 12:06:10 pipe kernel: copy_obj =9A (WARN) type 4 inst 65614 have = 92 need 96 >> Apr 23 12:06:10 pipe kernel: copy_obj =9A (WARN) type 4 inst 65614 have = 60 need 96 >> Apr 23 12:06:10 pipe kernel: copy_obj =9A (WARN) type 4 inst 65615 have = 92 need 96 >> ... >> >> This box is configured as bridge and it's mine function is piping users. >> Googling sent me to source of netinet/ipfw/ip_dummynet.c (lines 800-802) >> http://www.leidinger.net/FreeBSD/dox/netinet/html/dc/d3a/ip__dummynet_8c= _source.html >> but i did not understand how to fix this problem > > looks like a mismatch between kernel and userland. > Maybe you have a 32-bit sbin/ipfw and 64-bit kernel, > > What are the pipe configurations that generate these warnings ? > > cheers > luigi > >> About my system: >> >> pipe# uname -a >> FreeBSD pipe.xxxx.ru 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Tue Mar 13 >> 11:50:00 MSK 2012 =9A =9A /usr/obj/usr/src/sys/GENERIC =9Aamd64 >> >> pipe# cat /etc/sysctl.conf >> net.inet.ip.fw.one_pass=3D1 >> net.inet.tcp.tso=3D0 >> >> net.inet.udp.checksum=3D0 >> >> net.inet.ip.fastforwarding=3D1 >> net.inet.ip.redirect=3D0 >> net.inet.icmp.drop_redirect=3D1 >> >> net.inet.ip.fw.dyn_max=3D131072 >> net.inet.ip.fw.dyn_ack_lifetime=3D200 >> net.inet.ip.fw.dyn_buckets=3D131072 >> net.inet.ip.fw.dyn_syn_lifetime=3D10 >> net.inet.ip.fw.dyn_fin_lifetime=3D2 >> net.inet.ip.fw.dyn_short_lifetime=3D10 >> >> net.inet.ip.fw.verbose=3D0 >> >> net.link.ether.ipfw=3D1 >> >> net.link.bridge.ipfw=3D1 >> net.link.bridge.inherit_mac=3D1 >> net.link.bridge.pfil_onlyip=3D1 >> #net.link.bridge.pfil_member=3D1 >> #net.link.bridge.pfil_bridge=3D1 >> net.link.bridge.ipfw_arp=3D0 >> >> net.inet.ip.fw.enable=3D0 >> >> net.inet.ip.dummynet.io_fast=3D1 >> >> net.inet.ip.dummynet.hash_size=3D2048 >> net.inet.ip.dummynet.expire=3D1 >> >> pipe# cat /boot/loader.conf >> autoboot_delay=3D"2" >> >> net.inet.ip.fw.default_to_accept=3D1 >> >> dummynet_load=3D"YES" >> ipfw_load=3D"YES" >> if_bridge_load=3D"YES" >> bridgestp_load=3D"YES" >> >> net.link.ether.ipfw=3D1 >> net.link.bridge.ipfw=3D1 >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 26 23:44:49 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46D33106566B; Thu, 26 Apr 2012 23:44:49 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper-int.allbsd.org [IPv6:2001:2f0:104:e002::2]) by mx1.freebsd.org (Postfix) with ESMTP id 3D4538FC12; Thu, 26 Apr 2012 23:44:48 +0000 (UTC) Received: from alph.allbsd.org (p4242-ipbf1504funabasi.chiba.ocn.ne.jp [118.7.211.242]) (authenticated bits=128) by mail.allbsd.org (8.14.4/8.14.4) with ESMTP id q3QNiODA011661; Fri, 27 Apr 2012 08:44:35 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost (localhost [IPv6:::1]) (authenticated bits=0) by alph.allbsd.org (8.14.4/8.14.4) with ESMTP id q3QNiNkT020158; Fri, 27 Apr 2012 08:44:24 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Fri, 27 Apr 2012 08:44:14 +0900 (JST) Message-Id: <20120427.084414.1142593201575277510.hrs@allbsd.org> To: melifaro@FreeBSD.org From: Hiroki Sato In-Reply-To: <4F96E71B.9020405@FreeBSD.org> References: <4F96D11B.2060007@FreeBSD.org> <20120425.020518.406495893112283552.hrs@allbsd.org> <4F96E71B.9020405@FreeBSD.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.4.50 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart(Fri_Apr_27_08_44_14_2012_549)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.3 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (mail.allbsd.org [133.31.130.32]); Fri, 27 Apr 2012 08:44:41 +0900 (JST) X-Spam-Status: No, score=-104.1 required=13.0 tests=BAYES_00, CONTENT_TYPE_PRESENT,RCVD_IN_RP_RNBL,SPF_SOFTFAIL,USER_IN_WHITELIST autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on gatekeeper.allbsd.org Cc: freebsd-ipfw@FreeBSD.org Subject: Re: CFR: ipfw0 pseudo-interface clonable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2012 23:44:49 -0000 ----Security_Multipart(Fri_Apr_27_08_44_14_2012_549)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit "Alexander V. Chernikov" wrote in <4F96E71B.9020405@FreeBSD.org>: me> On 24.04.2012 21:05, Hiroki Sato wrote: me> > "Alexander V. Chernikov" wrote me> > in<4F96D11B.2060007@FreeBSD.org>: me> > me> > me> On 24.04.2012 19:26, Hiroki Sato wrote: me> > me> > Hi, me> > me> > me> > me> > I created the attached patch to make the current ipfw0 me> > me> > pseudo-interface clonable. The functionality of ipfw0 logging me> > me> > interface is not changed by this patch, but the ipfw0 me> > me> > pseudo-interface is not created by default and can be created me> > with me> > me> > the following command: me> > me> > me> > me> > # ifconfig ipfw0 create me> > me> > me> > me> > Any objection to commit this patch? The primary motivation for me> > this me> > me> > change is that presence of the interface by default increases me> > size of me> > me> > the interface list, which is returned by NET_RT_IFLIST sysctl me> > even me> > me> > when the sysadmin does not need it. Also this pseudo-interface me> > can me> > me> > confuse the sysadmin and/or network-related userland utilities me> > like me> > me> > SNMP agent. With this patch, one can use ifconfig(8) to me> > me> > create/destroy the pseudo-interface as necessary. me> > me> me> > me> ipfw_log() log_if usage is not protected, so it is possible to me> > trigger me> > me> use-after-free. me> > me> > Ah, right. I will revise lock handling and resubmit the patch. me> > me> > me> Maybe it is better to have some interface flag which makes me> > me> NET_RT_IFLIST skip given interface ? me> > me> > I do not think so. NET_RT_IFLIST should be able to list all of the me> > interfaces because it is the purpose. me> Okay, another try (afair already discussed somewhere): me> Do we really need all BPF providers to have ifnets? me> It seems that removing all bp_bif depends from BPF code is not so hard me> task. Hmm, I cannot imagine how to decouple ifnet from the bpf code because bpf heavily depends on it in its API (you probably know better than me). Do you have any specific idea? -- Hiroki ----Security_Multipart(Fri_Apr_27_08_44_14_2012_549)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAk+Z3c4ACgkQTyzT2CeTzy3SUQCgmx4rgiC90IYhP9rQM2otaUTm Ee4AnjhsY1fwjg9sOWB+xDIsxTM47Vgr =rARG -----END PGP SIGNATURE----- ----Security_Multipart(Fri_Apr_27_08_44_14_2012_549)---- From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 04:58:26 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DB9B9106566C for ; Fri, 27 Apr 2012 04:58:26 +0000 (UTC) (envelope-from javier_9185@hotmail.com) Received: from snt0-omc1-s31.snt0.hotmail.com (snt0-omc1-s31.snt0.hotmail.com [65.55.90.42]) by mx1.freebsd.org (Postfix) with ESMTP id ACDC68FC08 for ; Fri, 27 Apr 2012 04:58:26 +0000 (UTC) Received: from SNT136-W33 ([65.55.90.9]) by snt0-omc1-s31.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 26 Apr 2012 21:57:20 -0700 Message-ID: X-Originating-IP: [190.244.189.153] From: Javier - To: Date: Fri, 27 Apr 2012 04:57:20 +0000 Importance: Normal MIME-Version: 1.0 X-OriginalArrivalTime: 27 Apr 2012 04:57:20.0499 (UTC) FILETIME=[3A145C30:01CD2432] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 04:58:26 -0000 Hello all!=2C i=B4m researching about bursting with dummynet=B4s pipes. i c= an=B4t find the way in order to make the burst paramter work under pipe com= mand=3Bpipe config ........ burst 500000 (500Kbytes)->not luck pipe config= ........ burst 500000 queue 500Kbytes ->not luck These parameters seems to= be ok under pipe show=2C but no effect on real escenario... traffic is any= way at same speed defiined by "bw". Any help/comment wll be appreciated...s= pecially from Luigi! Is he alive on the list? Regards! = From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 06:35:48 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FCC41065670 for ; Fri, 27 Apr 2012 06:35:48 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id C138D8FC0A for ; Fri, 27 Apr 2012 06:35:47 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id D0F5473027; Fri, 27 Apr 2012 08:55:23 +0200 (CEST) Date: Fri, 27 Apr 2012 08:55:23 +0200 From: Luigi Rizzo To: Javier - Message-ID: <20120427065523.GA90180@onelab2.iet.unipi.it> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 06:35:48 -0000 On Fri, Apr 27, 2012 at 04:57:20AM +0000, Javier - wrote: > > > > > Hello all!, i?m researching about bursting with dummynet?s pipes. i can?t find the way in order to make the burst paramter work under pipe command;pipe config ........ burst 500000 (500Kbytes)->not luck pipe config ........ burst 500000 queue 500Kbytes ->not luck These parameters seems to be ok under pipe show, but no effect on real escenario... traffic is anyway at same speed defiined by "bw". Any help/comment wll be appreciated...specially from Luigi! Is he alive on the list? Regards! _______________________________________________ can you clarify what you are expecting and what you are seeing ? cheers luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 10:51:24 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0CC2C106566B for ; Fri, 27 Apr 2012 10:51:24 +0000 (UTC) (envelope-from javier_9185@hotmail.com) Received: from snt0-omc4-s45.snt0.hotmail.com (snt0-omc4-s45.snt0.hotmail.com [65.54.51.96]) by mx1.freebsd.org (Postfix) with ESMTP id D47688FC17 for ; Fri, 27 Apr 2012 10:51:23 +0000 (UTC) Received: from SNT136-W18 ([65.55.90.200]) by snt0-omc4-s45.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 27 Apr 2012 03:50:17 -0700 Message-ID: X-Originating-IP: [190.172.109.38] From: Javier - To: Date: Fri, 27 Apr 2012 10:50:17 +0000 Importance: Normal In-Reply-To: <20120427065523.GA90180@onelab2.iet.unipi.it> References: , <20120427065523.GA90180@onelab2.iet.unipi.it> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 27 Apr 2012 10:50:17.0423 (UTC) FILETIME=[888285F0:01CD2463] Cc: freebsd-ipfw@freebsd.org Subject: RE: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 10:51:24 -0000 I want to leave at cable speed n bytes=2C after n bytes apply the queue bw = limit... In Linux with htb this is done with cburst parameter... =20 Regards! > Date: Fri=2C 27 Apr 2012 08:55:23 +0200 > From: rizzo@iet.unipi.it > To: javier_9185@hotmail.com > CC: freebsd-ipfw@freebsd.org > Subject: Re: Dummynet and bursting! >=20 > On Fri=2C Apr 27=2C 2012 at 04:57:20AM +0000=2C Javier - wrote: > >=20 > >=20 > >=20 > >=20 > > Hello all!=2C i?m researching about bursting with dummynet?s pipes. i c= an?t find the way in order to make the burst paramter work under pipe comma= nd=3Bpipe config ........ burst 500000 (500Kbytes)->not luck pipe config ..= ...... burst 500000 queue 500Kbytes ->not luck These parameters seems to be= ok under pipe show=2C but no effect on real escenario... traffic is anyway= at same speed defiined by "bw". Any help/comment wll be appreciated...spec= ially from Luigi! Is he alive on the list? Regards! _______________________= ________________________ >=20 > can you clarify what you are expecting and what you are seeing ? >=20 > cheers > luigi = From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 11:29:59 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 633781065670 for ; Fri, 27 Apr 2012 11:29:59 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 1FA2C8FC17 for ; Fri, 27 Apr 2012 11:29:58 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 668B973027; Fri, 27 Apr 2012 13:49:41 +0200 (CEST) Date: Fri, 27 Apr 2012 13:49:41 +0200 From: Luigi Rizzo To: Javier - Message-ID: <20120427114941.GB9088@onelab2.iet.unipi.it> References: <20120427065523.GA90180@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 11:29:59 -0000 On Fri, Apr 27, 2012 at 10:50:17AM +0000, Javier - wrote: > > I want to leave at cable speed n bytes, after n bytes apply the queue bw limit... and what are you seeing instead ? Do you have a trace or something that shows that it does not work like this ? cheers luigi > In Linux with htb this is done with cburst parameter... > > > > Regards! > > > > Date: Fri, 27 Apr 2012 08:55:23 +0200 > > From: rizzo@iet.unipi.it > > To: javier_9185@hotmail.com > > CC: freebsd-ipfw@freebsd.org > > Subject: Re: Dummynet and bursting! > > > > On Fri, Apr 27, 2012 at 04:57:20AM +0000, Javier - wrote: > > > > > > > > > > > > > > > Hello all!, i?m researching about bursting with dummynet?s pipes. i can?t find the way in order to make the burst paramter work under pipe command;pipe config ........ burst 500000 (500Kbytes)->not luck pipe config ........ burst 500000 queue 500Kbytes ->not luck These parameters seems to be ok under pipe show, but no effect on real escenario... traffic is anyway at same speed defiined by "bw". Any help/comment wll be appreciated...specially from Luigi! Is he alive on the list? Regards! _______________________________________________ > > > > can you clarify what you are expecting and what you are seeing ? > > > > cheers > > luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 12:23:22 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F2ABA1065673 for ; Fri, 27 Apr 2012 12:23:22 +0000 (UTC) (envelope-from javier_9185@hotmail.com) Received: from snt0-omc1-s48.snt0.hotmail.com (snt0-omc1-s48.snt0.hotmail.com [65.54.61.85]) by mx1.freebsd.org (Postfix) with ESMTP id C69B48FC14 for ; Fri, 27 Apr 2012 12:23:22 +0000 (UTC) Received: from SNT136-W4 ([65.55.90.7]) by snt0-omc1-s48.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 27 Apr 2012 05:22:15 -0700 Message-ID: X-Originating-IP: [190.244.189.153] From: Javier - To: Date: Fri, 27 Apr 2012 12:22:15 +0000 Importance: Normal In-Reply-To: References: <20120427065523.GA90180@onelab2.iet.unipi.it>, , <20120427114941.GB9088@onelab2.iet.unipi.it>, Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 27 Apr 2012 12:22:15.0762 (UTC) FILETIME=[61B23B20:01CD2470] Subject: FW: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 12:23:23 -0000 This is the literal command executed: /sbin/ipfw pipe {$bw_up_pipeno} config bw {$bw_up}Kbit/s burst 500000 queu= e 500Kbytes The output from ipfw pipe show: 20010: 1.049 Mbit/s 0 ms burst 500000 q151082 500 KB 0 flows (1 buckets) sched 85546 weight 0 lmax 0 pri 0 dropt= ail sched 85546 type FIFO flags 0x0 0 buckets 1 active 0 ip 0.0.0.0/0 0.0.0.0/0 45 2832 0 0 0 When download a file the speed is the same (browser shows 125kbytes/s =2C = ok for 1mbit) at the start and after 500kbytes transfered... I=B4m using Pfsense 2.0=2C 8.1-RELEASE-p6 =2C captive portal creates the c= ommands for ipfw=2C and i want to modify them in order to support bursting.= .. Thanks! > > > > > "---------------------------------------- > > Date: Fri=2C 27 Apr 2012 13:49:41 +0200 > > From: rizzo@iet.unipi.it > > To: javier_9185@hotmail.com > > CC: freebsd-ipfw@freebsd.org > > Subject: Re: Dummynet and bursting! > > > > On Fri=2C Apr 27=2C 2012 at 10:50:17AM +0000=2C Javier - wrote: > > > > > > I want to leave at cable speed n bytes=2C after n bytes apply the que= ue bw limit... > > > > and what are you seeing instead ? Do you have a trace or > > something that shows that it does not work like this ? > > > > cheers > > luigi > > > > > In Linux with htb this is done with cburst parameter... > > > > > > > > > > > > Regards! > > > > > > > > > > Date: Fri=2C 27 Apr 2012 08:55:23 +0200 > > > > From: rizzo@iet.unipi.it > > > > To: javier_9185@hotmail.com > > > > CC: freebsd-ipfw@freebsd.org > > > > Subject: Re: Dummynet and bursting! > > > > > > > > On Fri=2C Apr 27=2C 2012 at 04:57:20AM +0000=2C Javier - wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Hello all!=2C i?m researching about bursting with dummynet?s pipe= s. i can?t find the way in order to make the burst paramter work under pipe= command=3Bpipe config ........ burst 500000 (500Kbytes)->not luck pipe con= fig ........ burst 500000 queue 500Kbytes ->not luck These parameters seems= to be ok under pipe show=2C but no effect on real escenario... traffic is = anyway at same speed defiined by "bw". Any help/comment wll be appreciated.= ..specially from Luigi! Is he alive on the list? Regards! _________________= ______________________________ > > > > > > > > can you clarify what you are expecting and what you are seeing ? > > > > > > > > cheers > > > > luigi = From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 12:41:13 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ED3F3106564A for ; Fri, 27 Apr 2012 12:41:12 +0000 (UTC) (envelope-from javier_9185@hotmail.com) Received: from snt0-omc4-s3.snt0.hotmail.com (snt0-omc4-s3.snt0.hotmail.com [65.55.90.206]) by mx1.freebsd.org (Postfix) with ESMTP id BD3608FC15 for ; Fri, 27 Apr 2012 12:41:12 +0000 (UTC) Received: from SNT136-W15 ([65.55.90.201]) by snt0-omc4-s3.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 27 Apr 2012 05:40:05 -0700 Message-ID: X-Originating-IP: [190.244.189.153] From: Javier - To: Date: Fri, 27 Apr 2012 12:40:05 +0000 Importance: Normal In-Reply-To: <20120427114941.GB9088@onelab2.iet.unipi.it> References: <20120427065523.GA90180@onelab2.iet.unipi.it> , <20120427114941.GB9088@onelab2.iet.unipi.it> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 27 Apr 2012 12:40:05.0719 (UTC) FILETIME=[DF70B670:01CD2472] Cc: freebsd-ipfw@freebsd.org Subject: RE: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 12:41:13 -0000 OK=2C but with increased burst to 5mbytes i have same results. will try fresh install from freebsd (no pfsense)=2C and the results will be= posted later. =20 Thanks! =20 --------------------------------------------------------------- Transfer estimates are completely unreliable in general=2C you need time for tcp to open the window=2C plus the RTT of the connection influences the throughput=2C etc. =20 You can perhaps make some reasonable test by setting a low bandwidth. Burst seems to work fine here (on stable/9)=2C see below =20 --- no pipes=2C no nothing --- > ping localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.079 ms 64 bytes from 127.0.0.1: icmp_seq=3D1 ttl=3D64 time=3D0.064 ms ^C =20 --- one 10Kbit/s pipe=2C no burst --- > sudo ipfw add 100 pipe 1 proto icmp out 00100 pipe 1 ip from any to any proto icmp out > sudo ipfw pipe 1 config bw 10Kbit/s burst 0 > sudo ipfw pipe show 00001: 10.000 Kbit/s 0 ms burst 0=20 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 dropta= il sched 65537 type FIFO flags 0x0 0 buckets 0 active > ping localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D134.602 ms 64 bytes from 127.0.0.1: icmp_seq=3D1 ttl=3D64 time=3D135.011 ms 64 bytes from 127.0.0.1: icmp_seq=3D2 ttl=3D64 time=3D135.019 ms ^C =20 --- now increase the burst to 100Kbytes --- > sudo ipfw pipe 1 config bw 10Kbit/s burst 100K > sudo ipfw pipe show 00001: 10.000 Kbit/s 0 ms burst 102400=20 q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 dropta= il sched 65537 type FIFO flags 0x0 0 buckets 0 active > ping localhost PING localhost (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.070 ms 64 bytes from 127.0.0.1: icmp_seq=3D1 ttl=3D64 time=3D0.083 ms 64 bytes from 127.0.0.1: icmp_seq=3D2 ttl=3D64 time=3D0.066 ms ^C =20 cheers luigi ---------------------------------------- > Date: Fri=2C 27 Apr 2012 13:49:41 +0200 > From: rizzo@iet.unipi.it > To: javier_9185@hotmail.com > CC: freebsd-ipfw@freebsd.org > Subject: Re: Dummynet and bursting! > > On Fri=2C Apr 27=2C 2012 at 10:50:17AM +0000=2C Javier - wrote: > > > > I want to leave at cable speed n bytes=2C after n bytes apply the queue= bw limit... > > and what are you seeing instead ? Do you have a trace or > something that shows that it does not work like this ? > > cheers > luigi > > > In Linux with htb this is done with cburst parameter... > > > > > > > > Regards! > > > > > > > Date: Fri=2C 27 Apr 2012 08:55:23 +0200 > > > From: rizzo@iet.unipi.it > > > To: javier_9185@hotmail.com > > > CC: freebsd-ipfw@freebsd.org > > > Subject: Re: Dummynet and bursting! > > > > > > On Fri=2C Apr 27=2C 2012 at 04:57:20AM +0000=2C Javier - wrote: > > > > > > > > > > > > > > > > > > > > Hello all!=2C i?m researching about bursting with dummynet?s pipes.= i can?t find the way in order to make the burst paramter work under pipe c= ommand=3Bpipe config ........ burst 500000 (500Kbytes)->not luck pipe confi= g ........ burst 500000 queue 500Kbytes ->not luck These parameters seems t= o be ok under pipe show=2C but no effect on real escenario... traffic is an= yway at same speed defiined by "bw". Any help/comment wll be appreciated...= specially from Luigi! Is he alive on the list? Regards! ___________________= ____________________________ > > > > > > can you clarify what you are expecting and what you are seeing ? > > > > > > cheers > > > luigi = From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 12:42:18 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA7C9106566B for ; Fri, 27 Apr 2012 12:42:18 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 746AC8FC0A for ; Fri, 27 Apr 2012 12:42:18 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id E91C07300B; Fri, 27 Apr 2012 15:02:00 +0200 (CEST) Date: Fri, 27 Apr 2012 15:02:00 +0200 From: Luigi Rizzo To: Javier - Message-ID: <20120427130200.GA17737@onelab2.iet.unipi.it> References: <20120427065523.GA90180@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 12:42:18 -0000 On Fri, Apr 27, 2012 at 12:40:05PM +0000, Javier - wrote: > > OK, but with increased burst to 5mbytes i have same results. > the issue is the bandwidth, not the burst. it is possible that the system has a bottleneck similar to the 125k you are configuring. Besides, the tcp window or socket buffer might be small (say 64Kbytes) so you won't be able to use the burst anyways. luigi > will try fresh install from freebsd (no pfsense), and the results will be posted later. > > > > Thanks! > > > > --------------------------------------------------------------- > > Transfer estimates are completely unreliable in general, > you need time for tcp to open the window, plus the RTT > of the connection influences the throughput, etc. > > You can perhaps make some reasonable test by setting a low > bandwidth. Burst seems to work fine here (on stable/9), see below > > --- no pipes, no nothing --- > > ping localhost > PING localhost (127.0.0.1): 56 data bytes > 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.079 ms > 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.064 ms > ^C > > --- one 10Kbit/s pipe, no burst --- > > sudo ipfw add 100 pipe 1 proto icmp out > 00100 pipe 1 ip from any to any proto icmp out > > sudo ipfw pipe 1 config bw 10Kbit/s burst 0 > > sudo ipfw pipe show > 00001: 10.000 Kbit/s 0 ms burst 0 > q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail > sched 65537 type FIFO flags 0x0 0 buckets 0 active > > ping localhost > PING localhost (127.0.0.1): 56 data bytes > 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=134.602 ms > 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=135.011 ms > 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=135.019 ms > ^C > > --- now increase the burst to 100Kbytes --- > > sudo ipfw pipe 1 config bw 10Kbit/s burst 100K > > sudo ipfw pipe show > 00001: 10.000 Kbit/s 0 ms burst 102400 > q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 droptail > sched 65537 type FIFO flags 0x0 0 buckets 0 active > > ping localhost > PING localhost (127.0.0.1): 56 data bytes > 64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.070 ms > 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.083 ms > 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.066 ms > ^C > > cheers > luigi > ---------------------------------------- > > Date: Fri, 27 Apr 2012 13:49:41 +0200 > > From: rizzo@iet.unipi.it > > To: javier_9185@hotmail.com > > CC: freebsd-ipfw@freebsd.org > > Subject: Re: Dummynet and bursting! > > > > On Fri, Apr 27, 2012 at 10:50:17AM +0000, Javier - wrote: > > > > > > I want to leave at cable speed n bytes, after n bytes apply the queue bw limit... > > > > and what are you seeing instead ? Do you have a trace or > > something that shows that it does not work like this ? > > > > cheers > > luigi > > > > > In Linux with htb this is done with cburst parameter... > > > > > > > > > > > > Regards! > > > > > > > > > > Date: Fri, 27 Apr 2012 08:55:23 +0200 > > > > From: rizzo@iet.unipi.it > > > > To: javier_9185@hotmail.com > > > > CC: freebsd-ipfw@freebsd.org > > > > Subject: Re: Dummynet and bursting! > > > > > > > > On Fri, Apr 27, 2012 at 04:57:20AM +0000, Javier - wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Hello all!, i?m researching about bursting with dummynet?s pipes. i can?t find the way in order to make the burst paramter work under pipe command;pipe config ........ burst 500000 (500Kbytes)->not luck pipe config ........ burst 500000 queue 500Kbytes ->not luck These parameters seems to be ok under pipe show, but no effect on real escenario... traffic is anyway at same speed defiined by "bw". Any help/comment wll be appreciated...specially from Luigi! Is he alive on the list? Regards! _______________________________________________ > > > > > > > > can you clarify what you are expecting and what you are seeing ? > > > > > > > > cheers > > > > luigi From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 13:22:11 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C797106566C for ; Fri, 27 Apr 2012 13:22:11 +0000 (UTC) (envelope-from javier_9185@hotmail.com) Received: from snt0-omc4-s15.snt0.hotmail.com (snt0-omc4-s15.snt0.hotmail.com [65.55.90.218]) by mx1.freebsd.org (Postfix) with ESMTP id 4B5988FC12 for ; Fri, 27 Apr 2012 13:22:11 +0000 (UTC) Received: from SNT136-W15 ([65.55.90.200]) by snt0-omc4-s15.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 27 Apr 2012 06:21:05 -0700 Message-ID: X-Originating-IP: [190.244.189.153] From: Javier - To: Date: Fri, 27 Apr 2012 13:21:04 +0000 Importance: Normal In-Reply-To: <20120427130200.GA17737@onelab2.iet.unipi.it> References: <20120427065523.GA90180@onelab2.iet.unipi.it> , <20120427130200.GA17737@onelab2.iet.unipi.it> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 27 Apr 2012 13:21:05.0334 (UTC) FILETIME=[997C2D60:01CD2478] Cc: freebsd-ipfw@freebsd.org Subject: RE: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 13:22:11 -0000 I will make more testing and comment. what=B4s the max value for burst? i did not find this in docs... =20 =20 ---------------------------------------- > Date: Fri=2C 27 Apr 2012 15:02:00 +0200 > From: rizzo@iet.unipi.it > To: javier_9185@hotmail.com > CC: freebsd-ipfw@freebsd.org > Subject: Re: Dummynet and bursting! > > On Fri=2C Apr 27=2C 2012 at 12:40:05PM +0000=2C Javier - wrote: > > > > OK=2C but with increased burst to 5mbytes i have same results. > > > > the issue is the bandwidth=2C not the burst. > it is possible that the system has a bottleneck > similar to the 125k you are configuring. > Besides=2C the tcp window or socket buffer might be > small (say 64Kbytes) so you won't be able to > use the burst anyways. > > luigi > > > will try fresh install from freebsd (no pfsense)=2C and the results wil= l be posted later. > > > > > > > > Thanks! > > > > > > > > --------------------------------------------------------------- > > > > Transfer estimates are completely unreliable in general=2C > > you need time for tcp to open the window=2C plus the RTT > > of the connection influences the throughput=2C etc. > > > > You can perhaps make some reasonable test by setting a low > > bandwidth. Burst seems to work fine here (on stable/9)=2C see below > > > > --- no pipes=2C no nothing --- > > > ping localhost > > PING localhost (127.0.0.1): 56 data bytes > > 64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.079 ms > > 64 bytes from 127.0.0.1: icmp_seq=3D1 ttl=3D64 time=3D0.064 ms > > ^C > > > > --- one 10Kbit/s pipe=2C no burst --- > > > sudo ipfw add 100 pipe 1 proto icmp out > > 00100 pipe 1 ip from any to any proto icmp out > > > sudo ipfw pipe 1 config bw 10Kbit/s burst 0 > > > sudo ipfw pipe show > > 00001: 10.000 Kbit/s 0 ms burst 0 > > q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 dr= optail > > sched 65537 type FIFO flags 0x0 0 buckets 0 active > > > ping localhost > > PING localhost (127.0.0.1): 56 data bytes > > 64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D134.602 ms > > 64 bytes from 127.0.0.1: icmp_seq=3D1 ttl=3D64 time=3D135.011 ms > > 64 bytes from 127.0.0.1: icmp_seq=3D2 ttl=3D64 time=3D135.019 ms > > ^C > > > > --- now increase the burst to 100Kbytes --- > > > sudo ipfw pipe 1 config bw 10Kbit/s burst 100K > > > sudo ipfw pipe show > > 00001: 10.000 Kbit/s 0 ms burst 102400 > > q131073 50 sl. 0 flows (1 buckets) sched 65537 weight 0 lmax 0 pri 0 dr= optail > > sched 65537 type FIFO flags 0x0 0 buckets 0 active > > > ping localhost > > PING localhost (127.0.0.1): 56 data bytes > > 64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.070 ms > > 64 bytes from 127.0.0.1: icmp_seq=3D1 ttl=3D64 time=3D0.083 ms > > 64 bytes from 127.0.0.1: icmp_seq=3D2 ttl=3D64 time=3D0.066 ms > > ^C > > > > cheers > > luigi > > ---------------------------------------- > > > Date: Fri=2C 27 Apr 2012 13:49:41 +0200 > > > From: rizzo@iet.unipi.it > > > To: javier_9185@hotmail.com > > > CC: freebsd-ipfw@freebsd.org > > > Subject: Re: Dummynet and bursting! > > > > > > On Fri=2C Apr 27=2C 2012 at 10:50:17AM +0000=2C Javier - wrote: > > > > > > > > I want to leave at cable speed n bytes=2C after n bytes apply the q= ueue bw limit... > > > > > > and what are you seeing instead ? Do you have a trace or > > > something that shows that it does not work like this ? > > > > > > cheers > > > luigi > > > > > > > In Linux with htb this is done with cburst parameter... > > > > > > > > > > > > > > > > Regards! > > > > > > > > > > > > > Date: Fri=2C 27 Apr 2012 08:55:23 +0200 > > > > > From: rizzo@iet.unipi.it > > > > > To: javier_9185@hotmail.com > > > > > CC: freebsd-ipfw@freebsd.org > > > > > Subject: Re: Dummynet and bursting! > > > > > > > > > > On Fri=2C Apr 27=2C 2012 at 04:57:20AM +0000=2C Javier - wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hello all!=2C i?m researching about bursting with dummynet?s pi= pes. i can?t find the way in order to make the burst paramter work under pi= pe command=3Bpipe config ........ burst 500000 (500Kbytes)->not luck pipe c= onfig ........ burst 500000 queue 500Kbytes ->not luck These parameters see= ms to be ok under pipe show=2C but no effect on real escenario... traffic i= s anyway at same speed defiined by "bw". Any help/comment wll be appreciate= d...specially from Luigi! Is he alive on the list? Regards! _______________= ________________________________ > > > > > > > > > > can you clarify what you are expecting and what you are seeing ? > > > > > > > > > > cheers > > > > > luigi = From owner-freebsd-ipfw@FreeBSD.ORG Fri Apr 27 13:26:44 2012 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8C33A106566C for ; Fri, 27 Apr 2012 13:26:44 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id 4CF858FC12 for ; Fri, 27 Apr 2012 13:26:44 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 464357300B; Fri, 27 Apr 2012 15:46:27 +0200 (CEST) Date: Fri, 27 Apr 2012 15:46:27 +0200 From: Luigi Rizzo To: Javier - Message-ID: <20120427134627.GB20504@onelab2.iet.unipi.it> References: <20120427065523.GA90180@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Dummynet and bursting! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2012 13:26:44 -0000 On Fri, Apr 27, 2012 at 01:21:04PM +0000, Javier - wrote: > > I will make more testing and comment. > what?s the max value for burst? i did not find this in docs... you can specify more than 2^40 bytes. Not that it makes any sense... From owner-freebsd-ipfw@FreeBSD.ORG Sat Apr 28 14:22:33 2012 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 63EEE106564A; Sat, 28 Apr 2012 14:22:33 +0000 (UTC) (envelope-from hrs@FreeBSD.org) Received: from mail.allbsd.org (gatekeeper-int.allbsd.org [IPv6:2001:2f0:104:e002::2]) by mx1.freebsd.org (Postfix) with ESMTP id BC6908FC15; Sat, 28 Apr 2012 14:22:31 +0000 (UTC) Received: from alph.allbsd.org (p4242-ipbf1504funabasi.chiba.ocn.ne.jp [118.7.211.242]) (authenticated bits=128) by mail.allbsd.org (8.14.4/8.14.4) with ESMTP id q3SEMAqk096888; Sat, 28 Apr 2012 23:22:20 +0900 (JST) (envelope-from hrs@FreeBSD.org) Received: from localhost ([IPv6:::]) (authenticated bits=0) by alph.allbsd.org (8.14.4/8.14.4) with ESMTP id q3SEM7Wh044026; Sat, 28 Apr 2012 23:22:09 +0900 (JST) (envelope-from hrs@FreeBSD.org) Date: Sat, 28 Apr 2012 23:18:00 +0900 (JST) Message-Id: <20120428.231800.306465812317617923.hrs@allbsd.org> To: melifaro@FreeBSD.org, kudzu@tenebras.com From: Hiroki Sato In-Reply-To: <20120425.020518.406495893112283552.hrs@allbsd.org> References: <20120425.002600.1631867625819249738.hrs@allbsd.org> <4F96D11B.2060007@FreeBSD.org> <20120425.020518.406495893112283552.hrs@allbsd.org> X-PGPkey-fingerprint: BDB3 443F A5DD B3D0 A530 FFD7 4F2C D3D8 2793 CF2D X-Mailer: Mew version 6.4.50 on Emacs 23.4 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Multipart/Signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="--Security_Multipart0(Sat_Apr_28_23_18_00_2012_214)--" Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.97.3 at gatekeeper.allbsd.org X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.3 (mail.allbsd.org [133.31.130.32]); Sat, 28 Apr 2012 23:22:24 +0900 (JST) X-Spam-Status: No, score=-103.6 required=13.0 tests=BAYES_00, CONTENT_TYPE_PRESENT,FAKEDWORD_ZERO,RCVD_IN_RP_RNBL,SPF_SOFTFAIL, USER_IN_WHITELIST autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on gatekeeper.allbsd.org Cc: freebsd-ipfw@FreeBSD.org Subject: Re: CFR: ipfw0 pseudo-interface clonable X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2012 14:22:33 -0000 ----Security_Multipart0(Sat_Apr_28_23_18_00_2012_214)-- Content-Type: Multipart/Mixed; boundary="--Next_Part(Sat_Apr_28_23_18_00_2012_764)--" Content-Transfer-Encoding: 7bit ----Next_Part(Sat_Apr_28_23_18_00_2012_764)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hiroki Sato wrote in <20120425.020518.406495893112283552.hrs@allbsd.org>: hr> "Alexander V. Chernikov" wrote hr> in <4F96D11B.2060007@FreeBSD.org>: hr> hr> me> On 24.04.2012 19:26, Hiroki Sato wrote: hr> me> > Hi, hr> me> > hr> me> > I created the attached patch to make the current ipfw0 hr> me> > pseudo-interface clonable. The functionality of ipfw0 logging hr> me> > interface is not changed by this patch, but the ipfw0 hr> me> > pseudo-interface is not created by default and can be created with hr> me> > the following command: hr> me> ipfw_log() log_if usage is not protected, so it is possible to trigger hr> me> use-after-free. hr> hr> Ah, right. I will revise lock handling and resubmit the patch. Michael Sierchio wrote in : ku> A man page for the ipfw pseudo-interface would be welcome. A revised patch is attached. The lock around log_if should be fixed and ipfw(8) manual page is updated. Also, an rc.conf(5) variable $firewall_logif is added to create ipfw0 interface at boot time (NO by default). Any comments are welcome. Thank you. -- Hiroki ----Next_Part(Sat_Apr_28_23_18_00_2012_764)-- Content-Type: Text/X-Patch; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="ipfw_clone_interface.20120429-1.diff" Index: sys/netinet/ipfw/ip_fw_log.c =================================================================== --- sys/netinet/ipfw/ip_fw_log.c (revision 234428) +++ sys/netinet/ipfw/ip_fw_log.c (working copy) @@ -44,8 +44,11 @@ #include #include #include +#include +#include #include /* for ETHERTYPE_IP */ #include +#include #include #include /* for IFT_ETHER */ #include /* for BPF */ @@ -90,7 +93,16 @@ } #else /* !WITHOUT_BPF */ static struct ifnet *log_if; /* hook to attach to bpf */ +static struct rwlock log_if_lock; +#define LOGIF_LOCK_INIT(x) rw_init(&log_if_lock, "ipfw log_if lock") +#define LOGIF_LOCK_DESTROY(x) rw_destroy(&log_if_lock) +#define LOGIF_RLOCK(x) rw_rlock(&log_if_lock) +#define LOGIF_RUNLOCK(x) rw_runlock(&log_if_lock) +#define LOGIF_WLOCK(x) rw_wlock(&log_if_lock) +#define LOGIF_WUNLOCK(x) rw_wunlock(&log_if_lock) +#define IPFWNAME "ipfw" + /* we use this dummy function for all ifnet callbacks */ static int log_dummy(struct ifnet *ifp, u_long cmd, caddr_t addr) @@ -116,37 +128,104 @@ static const u_char ipfwbroadcastaddr[6] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; +static int +ipfw_log_clone_match(struct if_clone *ifc, const char *name) +{ + + return (strncmp(name, IPFWNAME, sizeof(IPFWNAME) - 1) == 0); +} + +static int +ipfw_log_clone_create(struct if_clone *ifc, char *name, size_t len, caddr_t params) +{ + int error; + int unit; + struct ifnet *ifp; + + error = ifc_name2unit(name, &unit); + if (error) + return (error); + + error = ifc_alloc_unit(ifc, &unit); + if (error) + return (error); + + ifp = if_alloc(IFT_ETHER); + if (ifp == NULL) { + ifc_free_unit(ifc, unit); + return (ENOSPC); + } + ifp->if_dname = IPFWNAME; + ifp->if_dunit = unit; + snprintf(ifp->if_xname, IFNAMSIZ, "%s%d", IPFWNAME, unit); + strlcpy(name, ifp->if_xname, len); + ifp->if_mtu = 65536; + ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; + ifp->if_init = (void *)log_dummy; + ifp->if_ioctl = log_dummy; + ifp->if_start = ipfw_log_start; + ifp->if_output = ipfw_log_output; + ifp->if_addrlen = 6; + ifp->if_hdrlen = 14; + ifp->if_broadcastaddr = ipfwbroadcastaddr; + ifp->if_baudrate = IF_Mbps(10); + + LOGIF_WLOCK(); + if (log_if == NULL) + log_if = ifp; + else { + LOGIF_WUNLOCK(); + if_free(ifp); + ifc_free_unit(ifc, unit); + return (EEXIST); + } + LOGIF_WUNLOCK(); + if_attach(ifp); + bpfattach(ifp, DLT_EN10MB, 14); + + return (0); +} + +static int +ipfw_log_clone_destroy(struct if_clone *ifc, struct ifnet *ifp) +{ + int unit; + + if (ifp == NULL) + return (0); + + LOGIF_WLOCK(); + if (log_if != NULL && ifp == log_if) + log_if = NULL; + else { + LOGIF_WUNLOCK(); + return (EINVAL); + } + LOGIF_WUNLOCK(); + + unit = ifp->if_dunit; + bpfdetach(ifp); + if_detach(ifp); + if_free(ifp); + ifc_free_unit(ifc, unit); + + return (0); +} + +static struct if_clone ipfw_log_cloner = IFC_CLONE_INITIALIZER( + IPFWNAME, NULL, IF_MAXUNIT, + NULL, ipfw_log_clone_match, ipfw_log_clone_create, ipfw_log_clone_destroy); + void ipfw_log_bpf(int onoff) { - struct ifnet *ifp; if (onoff) { - if (log_if) - return; - ifp = if_alloc(IFT_ETHER); - if (ifp == NULL) - return; - if_initname(ifp, "ipfw", 0); - ifp->if_mtu = 65536; - ifp->if_flags = IFF_UP | IFF_SIMPLEX | IFF_MULTICAST; - ifp->if_init = (void *)log_dummy; - ifp->if_ioctl = log_dummy; - ifp->if_start = ipfw_log_start; - ifp->if_output = ipfw_log_output; - ifp->if_addrlen = 6; - ifp->if_hdrlen = 14; - if_attach(ifp); - ifp->if_broadcastaddr = ipfwbroadcastaddr; - ifp->if_baudrate = IF_Mbps(10); - bpfattach(ifp, DLT_EN10MB, 14); - log_if = ifp; + LOGIF_LOCK_INIT(); + if_clone_attach(&ipfw_log_cloner); } else { - if (log_if) { - ether_ifdetach(log_if); - if_free(log_if); - } - log_if = NULL; + if_clone_detach(&ipfw_log_cloner); + LOGIF_LOCK_DESTROY(); } } #endif /* !WITHOUT_BPF */ @@ -166,9 +245,11 @@ if (V_fw_verbose == 0) { #ifndef WITHOUT_BPF - - if (log_if == NULL || log_if->if_bpf == NULL) + LOGIF_RLOCK(); + if (log_if == NULL || log_if->if_bpf == NULL) { + LOGIF_RUNLOCK(); return; + } if (args->eh) /* layer2, use orig hdr */ BPF_MTAP2(log_if, args->eh, ETHER_HDR_LEN, m); @@ -177,6 +258,7 @@ * more info in the header. */ BPF_MTAP2(log_if, "DDDDDDSSSSSS\x08\x00", ETHER_HDR_LEN, m); + LOGIF_RUNLOCK(); #endif /* !WITHOUT_BPF */ return; } Index: sbin/ipfw/ipfw.8 =================================================================== --- sbin/ipfw/ipfw.8 (revision 234428) +++ sbin/ipfw/ipfw.8 (working copy) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 9, 2012 +.Dd April 28, 2012 .Dt IPFW 8 .Os .Sh NAME @@ -560,7 +560,22 @@ .Xr bpf 4 attached to the .Li ipfw0 -pseudo interface. There is no overhead if no +pseudo interface. +This pseudo interface can be created after a boot +manually by using the following command: +.Bd -literal -offset indent +# ifconfig ipfw0 create +.Ed +.Pp +Or, automatically at boot time by adding the following +line to the +.Xr rc.conf 5 +file: +.Bd -literal -offset indent +firewall_logif="YES" +.Ed +.Pp +There is no overhead if no .Xr bpf 4 is attached to the pseudo interface. .Pp Index: etc/rc.d/ipfw =================================================================== --- etc/rc.d/ipfw (revision 234412) +++ etc/rc.d/ipfw (working copy) @@ -57,6 +57,10 @@ echo 'Firewall logging enabled.' sysctl net.inet.ip.fw.verbose=1 >/dev/null fi + if checkyesno firewall_logif; then + echo 'Firewall logging pseudo-interface (ipfw0) created.' + ifconfig ipfw0 create + fi } ipfw_poststart() Index: etc/defaults/rc.conf =================================================================== --- etc/defaults/rc.conf (revision 234428) +++ etc/defaults/rc.conf (working copy) @@ -123,6 +123,7 @@ firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging +firewall_logif="NO" # Set to YES to create logging-pseudo interface firewall_flags="" # Flags passed to ipfw when type is a file firewall_coscripts="" # List of executables/scripts to run after # firewall starts/stops ----Next_Part(Sat_Apr_28_23_18_00_2012_764)---- ----Security_Multipart0(Sat_Apr_28_23_18_00_2012_214)-- Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEABECAAYFAk+b/BgACgkQTyzT2CeTzy2fdwCghazmRs6QeMA0631ZY3CGyTNC oDwAoIlL9GEFhmLy7Bw7epRAU9swB+EY =MiFt -----END PGP SIGNATURE----- ----Security_Multipart0(Sat_Apr_28_23_18_00_2012_214)----