From owner-freebsd-ipfw Wed Jul 10 3:25:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0655A37B400 for ; Wed, 10 Jul 2002 03:25:26 -0700 (PDT) Received: from gw.pelleg.org (dpelleg.dsl.telerama.com [205.201.13.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D2B643E09 for ; Wed, 10 Jul 2002 03:25:25 -0700 (PDT) (envelope-from dpelleg@cs.cmu.edu) Received: from lank.auton.cs.cmu.edu (lank.wburn [192.168.3.41]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "dpelleg.dsl.telerama.com", Issuer "Dan Pelleg" (verified OK)) by gw.pelleg.org (Postfix) with ESMTP id D62C357E0; Wed, 10 Jul 2002 06:25:23 -0400 (EDT) Received: by lank.auton.cs.cmu.edu (Postfix, from userid 7675) id 16A2F52F; Wed, 10 Jul 2002 06:25:20 -0400 (EDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15660.2959.142937.827544@gargle.gargle.HOWL> Date: Wed, 10 Jul 2002 06:25:19 -0400 To: Luigi Rizzo Cc: ipfw@freebsd.org Subject: Re: ipfw2 patches for -stable available In-Reply-To: <20020709221347.A91104@iguana.icir.org> References: <20020709023203.A83270@iguana.icir.org> <20020709221347.A91104@iguana.icir.org> X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid From: Dan Pelleg Reply-To: Dan Pelleg Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo writes: > Hi Dan, > thanks for the report: > > > I've only used it briefly. For now it looks ok, with the following observations: > > > > 1) the "icmptype" option doesn't seem to be supported > > the manpage lists "icmptypes" (plural) as the option keyword, > though it is true that the previous code allowed abbreviations > (but those could be ambiguous). I am not sure whether or > not it is the case to fix it -- for sure i can add "icmptype" > as an alias for "icmptypes" > I see. While both choices are reasonable, this change has the potential of causing a lot of grief to people who find their rulesets altered. If we're dropping abbreviations, maybe it's a good idea to provide a search-and-replace script to convert existing rule scripts. Maybe even offer it as part of mergemaster (if that's at all possible - I don't know). > > 3) I'm getting lots of "/kernel: install_state: entry already present, > > done" (related to (2)?). > > this one i cannot reproduce, do you have a small ruleset and > input example to send me so i can try and reproduce the problem ? > That's easy: sh /etc/rc.firewall closed ipfw add 500 pass tcp from me to any keep-state limit src-addr dst-port 40 ipfw add 600 pass udp from me to any keep-state limit src-addr dst-port 40 Now just fire up Mozilla (which opens lots of connections in rapid succession) and watch the logs. I have another bug to report. The following causes a segfault on a DUMMYNET-less machine: ipfw queue 1 config pipe 10 weight 100 mask src-ip 0xffffffff note that if you drop the mask speficier, then it just tells you: ipfw: setsockopt(IP_DUMMYNET_CONFIGURE): Protocol not available as it should. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message