Date: Mon, 01 Apr 2013 15:30:30 +0400 From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> To: Andriy Gapon <avg@FreeBSD.org> Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org Subject: Re: svn commit: r248552 - in head: sbin/ipfw sys/netinet sys/netpfil/ipfw Message-ID: <51596FD6.8030101@FreeBSD.org> In-Reply-To: <5158A1AD.1080808@FreeBSD.org> References: <201303201035.r2KAZXj2090085@svn.freebsd.org> <5158A1AD.1080808@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01.04.2013 00:50, Andriy Gapon wrote: > on 20/03/2013 12:35 Alexander V. Chernikov said the following: >> Author: melifaro >> Date: Wed Mar 20 10:35:33 2013 >> New Revision: 248552 >> URL: http://svnweb.freebsd.org/changeset/base/248552 >> >> Log: >> Add ipfw support for setting/matching DiffServ codepoints (DSCP). >> >> Setting DSCP support is done via O_SETDSCP which works for both >> IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. >> Dscp can be specified by name (AFXY, CSX, BE, EF), by value >> (0..63) or via tablearg. >> >> Matching DSCP is done via another opcode (O_DSCP) which accepts several >> classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). > [snip] >> Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c >> ============================================================================== >> --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Mar 20 09:56:20 2013 (r248551) >> +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Mar 20 10:35:33 2013 (r248552) >> @@ -671,6 +671,10 @@ check_ipfw_struct(struct ip_fw *rule, in >> case O_IPID: >> case O_IPTTL: >> case O_IPLEN: >> + case O_DSCP: >> + if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1) >> + goto bad_size; >> + break; >> case O_TCPDATALEN: >> case O_TCPWIN: >> case O_TAGGED: > > Could you please double-check this part of the change? > Handling of the new O_DSCP opcode is inserted in the middle of the long > fall-through list of cases and thus it modifies behavior of the preceding cases. > The commit message does not say anything about that. Yes, my fault. I've changed O_DSCP token to accept bitmask instead of single variable and forgot to properly update given part. Fixed in r248971. > > I've just done my bi-monthly release/upgrade and ipfw now chokes on my ruleset. > There is the following message in system log: > kernel: ipfw: opcode 0 size 8 wrong > Offending rule seems to be: > allow ip from any to any via tun* > > Reverting this commit fixes the problem. > Thank you. > -- WBR, Alexander
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51596FD6.8030101>