From owner-svn-src-head@FreeBSD.ORG Mon Apr 1 11:31:21 2013 Return-Path: Delivered-To: svn-src-head@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id A7CCDAC2; Mon, 1 Apr 2013 11:31:21 +0000 (UTC) (envelope-from melifaro@FreeBSD.org) Received: from mail.ipfw.ru (unknown [IPv6:2a01:4f8:120:6141::2]) by mx1.freebsd.org (Postfix) with ESMTP id 6CCFF82F; Mon, 1 Apr 2013 11:31:21 +0000 (UTC) Received: from dhcp170-36-red.yandex.net ([95.108.170.36]) by mail.ipfw.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1UMd0j-0002Bq-5D; Mon, 01 Apr 2013 15:34:49 +0400 Message-ID: <51596FD6.8030101@FreeBSD.org> Date: Mon, 01 Apr 2013 15:30:30 +0400 From: "Alexander V. Chernikov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Andriy Gapon Subject: Re: svn commit: r248552 - in head: sbin/ipfw sys/netinet sys/netpfil/ipfw References: <201303201035.r2KAZXj2090085@svn.freebsd.org> <5158A1AD.1080808@FreeBSD.org> In-Reply-To: <5158A1AD.1080808@FreeBSD.org> X-Enigmail-Version: 1.4.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2013 11:31:21 -0000 On 01.04.2013 00:50, Andriy Gapon wrote: > on 20/03/2013 12:35 Alexander V. Chernikov said the following: >> Author: melifaro >> Date: Wed Mar 20 10:35:33 2013 >> New Revision: 248552 >> URL: http://svnweb.freebsd.org/changeset/base/248552 >> >> Log: >> Add ipfw support for setting/matching DiffServ codepoints (DSCP). >> >> Setting DSCP support is done via O_SETDSCP which works for both >> IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. >> Dscp can be specified by name (AFXY, CSX, BE, EF), by value >> (0..63) or via tablearg. >> >> Matching DSCP is done via another opcode (O_DSCP) which accepts several >> classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). > [snip] >> Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c >> ============================================================================== >> --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Mar 20 09:56:20 2013 (r248551) >> +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Mar 20 10:35:33 2013 (r248552) >> @@ -671,6 +671,10 @@ check_ipfw_struct(struct ip_fw *rule, in >> case O_IPID: >> case O_IPTTL: >> case O_IPLEN: >> + case O_DSCP: >> + if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1) >> + goto bad_size; >> + break; >> case O_TCPDATALEN: >> case O_TCPWIN: >> case O_TAGGED: > > Could you please double-check this part of the change? > Handling of the new O_DSCP opcode is inserted in the middle of the long > fall-through list of cases and thus it modifies behavior of the preceding cases. > The commit message does not say anything about that. Yes, my fault. I've changed O_DSCP token to accept bitmask instead of single variable and forgot to properly update given part. Fixed in r248971. > > I've just done my bi-monthly release/upgrade and ipfw now chokes on my ruleset. > There is the following message in system log: > kernel: ipfw: opcode 0 size 8 wrong > Offending rule seems to be: > allow ip from any to any via tun* > > Reverting this commit fixes the problem. > Thank you. > -- WBR, Alexander