Date: Tue, 01 Oct 2002 16:19:18 -0300 From: "Daniel C. Sobral" <dcs@tcoip.com.br> To: Luigi Rizzo <rizzo@icir.org> Cc: ipfw@FreeBSD.ORG Subject: Re: ipfw2 vs. ipfw1 and 4.7 Message-ID: <3D99F536.2050201@tcoip.com.br> References: <20020902082743.D87097@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I find it EXTREMELY inconvenient that 4.7 gets released with a KNOWN
bug, that was corrected in -current before we were halfway into the 4.7
freeze. Even more so when the change does not affect *any* default
installation, because the feature must be explicitly enabled before this
code gets even installed.
There I go, installing 4.7, with not a worry in mind, only to be bitten
by the fwd bug.
Luigi Rizzo wrote:
> People,
> now that the release of 4.7 is approaching, i would really appreciate
> if you could give ipfw2 a try and see whether it breaks anything
> in your rulesets. Also have a look at the manpage highlighting the
> differences between ipfw1 and ipfw2 to see if your rulesets can be
> simplified/made more efficient.
>
> While I am not suggesting a switch in the default to be used in the
> distribution, i think it would be appropriate to mention ipfw2's
> existence in the release notes and elsewhere.
> I really believe it to be at least as reliable as ipfw1 and a lot
> more powerful in terms of features.
>
> I know there are several people already using ipfw2 in production,
> and I have no outstanding bug reports for the kernel part of
> ipfw2 (there were very few anyways) and only one for the userland
> part (wrong byte order for port numbers in "fwd" commands, for which
> the [trivial] fix below will be committed soon.
>
> Also, I am not going to put work on extending ipfw1's life --
> if you have an ipfw1 bug report or feature request for something
> that is working in ipfw2, you know what my answer will be...
>
> cheers
> luigi
>
> NOTE:
>
> In order to use ipfw2, you must compile your kernel with
>
> options IPFW2
>
> in addition to all other IPFIREWALL* options, and also
> rebuild and reinstall /sbin/ipfw and usr/lib/libalias with
>
> make -DIPFW2
> make -DIPFW2 install
>
> The manpage for ipfw now tells you the syntax for ipfw2 commands
> and has a section highlighting the differences between ipfw1 and ipfw2.
>
> Index: ipfw2.c
> ===================================================================
> RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
> retrieving revision 1.12
> diff -u -r1.12 ipfw2.c
> --- ipfw2.c 19 Aug 2002 12:36:54 -0000 1.12
> +++ ipfw2.c 2 Sep 2002 15:01:31 -0000
> @@ -908,7 +908,7 @@
>
> printf("fwd %s", inet_ntoa(s->sa.sin_addr));
> if (s->sa.sin_port)
> - printf(",%d", ntohs(s->sa.sin_port));
> + printf(",%d", s->sa.sin_port);
> }
> break;
>
> @@ -2592,7 +2592,7 @@
> if (s == end)
> errx(EX_DATAERR,
> "illegal forwarding port ``%s''", s);
> - p->sa.sin_port = htons( (u_short)i );
> + p->sa.sin_port = (u_short)i;
> }
> lookup_host(*av, &(p->sa.sin_addr));
> }
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
--
Daniel C. Sobral (8-DCS)
Gerencia de Operacoes
Divisao de Comunicacao de Dados
Coordenacao de Seguranca
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail: Daniel.Capo@tco.net.br
Daniel.Sobral@tcoip.com.br
dcs@tcoip.com.br
Outros:
dcs@newsguy.com
dcs@freebsd.org
capo@notorious.bsdconspiracy.net
If the master dies and the disciple grieves,
the lives of both have been wasted.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D99F536.2050201>