From owner-freebsd-ipfw Mon Sep 2 8:27:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C236837B400 for ; Mon, 2 Sep 2002 08:27:49 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6399243E42 for ; Mon, 2 Sep 2002 08:27:49 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g82FRiIb088919; Mon, 2 Sep 2002 08:27:44 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g82FRhu1088918; Mon, 2 Sep 2002 08:27:43 -0700 (PDT) (envelope-from rizzo) Date: Mon, 2 Sep 2002 08:27:43 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: ipfw2 vs. ipfw1 and 4.7 Message-ID: <20020902082743.D87097@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG People, now that the release of 4.7 is approaching, i would really appreciate if you could give ipfw2 a try and see whether it breaks anything in your rulesets. Also have a look at the manpage highlighting the differences between ipfw1 and ipfw2 to see if your rulesets can be simplified/made more efficient. While I am not suggesting a switch in the default to be used in the distribution, i think it would be appropriate to mention ipfw2's existence in the release notes and elsewhere. I really believe it to be at least as reliable as ipfw1 and a lot more powerful in terms of features. I know there are several people already using ipfw2 in production, and I have no outstanding bug reports for the kernel part of ipfw2 (there were very few anyways) and only one for the userland part (wrong byte order for port numbers in "fwd" commands, for which the [trivial] fix below will be committed soon. Also, I am not going to put work on extending ipfw1's life -- if you have an ipfw1 bug report or feature request for something that is working in ipfw2, you know what my answer will be... cheers luigi NOTE: In order to use ipfw2, you must compile your kernel with options IPFW2 in addition to all other IPFIREWALL* options, and also rebuild and reinstall /sbin/ipfw and usr/lib/libalias with make -DIPFW2 make -DIPFW2 install The manpage for ipfw now tells you the syntax for ipfw2 commands and has a section highlighting the differences between ipfw1 and ipfw2. Index: ipfw2.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.12 diff -u -r1.12 ipfw2.c --- ipfw2.c 19 Aug 2002 12:36:54 -0000 1.12 +++ ipfw2.c 2 Sep 2002 15:01:31 -0000 @@ -908,7 +908,7 @@ printf("fwd %s", inet_ntoa(s->sa.sin_addr)); if (s->sa.sin_port) - printf(",%d", ntohs(s->sa.sin_port)); + printf(",%d", s->sa.sin_port); } break; @@ -2592,7 +2592,7 @@ if (s == end) errx(EX_DATAERR, "illegal forwarding port ``%s''", s); - p->sa.sin_port = htons( (u_short)i ); + p->sa.sin_port = (u_short)i; } lookup_host(*av, &(p->sa.sin_addr)); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message