From owner-svn-src-head@FreeBSD.ORG Sun Mar 31 20:51:00 2013 Return-Path: Delivered-To: svn-src-head@FreeBSD.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 69392E31; Sun, 31 Mar 2013 20:51:00 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 12898E80; Sun, 31 Mar 2013 20:50:58 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id XAA14671; Sun, 31 Mar 2013 23:50:56 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1UMPDL-0001TP-QR; Sun, 31 Mar 2013 23:50:55 +0300 Message-ID: <5158A1AD.1080808@FreeBSD.org> Date: Sun, 31 Mar 2013 23:50:53 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130321 Thunderbird/17.0.4 MIME-Version: 1.0 To: "Alexander V. Chernikov" Subject: Re: svn commit: r248552 - in head: sbin/ipfw sys/netinet sys/netpfil/ipfw References: <201303201035.r2KAZXj2090085@svn.freebsd.org> In-Reply-To: <201303201035.r2KAZXj2090085@svn.freebsd.org> X-Enigmail-Version: 1.5.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Mar 2013 20:51:00 -0000 on 20/03/2013 12:35 Alexander V. Chernikov said the following: > Author: melifaro > Date: Wed Mar 20 10:35:33 2013 > New Revision: 248552 > URL: http://svnweb.freebsd.org/changeset/base/248552 > > Log: > Add ipfw support for setting/matching DiffServ codepoints (DSCP). > > Setting DSCP support is done via O_SETDSCP which works for both > IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. > Dscp can be specified by name (AFXY, CSX, BE, EF), by value > (0..63) or via tablearg. > > Matching DSCP is done via another opcode (O_DSCP) which accepts several > classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). [snip] > Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c > ============================================================================== > --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Mar 20 09:56:20 2013 (r248551) > +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Mar 20 10:35:33 2013 (r248552) > @@ -671,6 +671,10 @@ check_ipfw_struct(struct ip_fw *rule, in > case O_IPID: > case O_IPTTL: > case O_IPLEN: > + case O_DSCP: > + if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1) > + goto bad_size; > + break; > case O_TCPDATALEN: > case O_TCPWIN: > case O_TAGGED: Could you please double-check this part of the change? Handling of the new O_DSCP opcode is inserted in the middle of the long fall-through list of cases and thus it modifies behavior of the preceding cases. The commit message does not say anything about that. I've just done my bi-monthly release/upgrade and ipfw now chokes on my ruleset. There is the following message in system log: kernel: ipfw: opcode 0 size 8 wrong Offending rule seems to be: allow ip from any to any via tun* Reverting this commit fixes the problem. Thank you. -- Andriy Gapon