From owner-freebsd-ipfw@FreeBSD.ORG Thu Apr 1 07:25:28 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 239C81065676 for ; Thu, 1 Apr 2010 07:25:28 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id 8F5088FC1B for ; Thu, 1 Apr 2010 07:25:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id o317PNUj038524; Thu, 1 Apr 2010 18:25:24 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 1 Apr 2010 18:25:23 +1100 (EST) From: Ian Smith To: Luigi Rizzo In-Reply-To: <20100401002014.GA57424@onelab2.iet.unipi.it> Message-ID: <20100401180631.K37370@sola.nimnet.asn.au> References: <4BB24C86.3030709@hardonline.com.br> <20100331020943.GA47928@onelab2.iet.unipi.it> <20100331164302.GA55699@korolev-net.ru> <20100331170221.GB55010@onelab2.iet.unipi.it> <20100401002014.GA57424@onelab2.iet.unipi.it> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, "Ass.Tec. Matik" Subject: Re: ipfw error in last stable version freebsd 8 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Apr 2010 07:25:28 -0000 On Thu, 1 Apr 2010, Luigi Rizzo wrote: > On Wed, Mar 31, 2010 at 03:47:49PM -0300, Ass.Tec. Matik wrote: > > > > > > > it means that you are probably using a new kernel and an old /sbin/ipfw. > > > The new ipfw/dummynet has a different kernel/userland API to accommodate > > > some new features, and the kernel has a compatibility layer to translate > > > requests back and forth between the two APIs. > > > > > > > > > where this is coming from: > > > > ipfw0: flags=8801 metric 0 mtu 65536 > > sys/netinet/ipfw/ip_fw_log.c > > Revision 200654 - (view) (annotate) - [select for diffs] > Modified Thu Dec 17 23:11:16 2009 UTC (3 months, 1 week ago) by luigi > > Add some experimental code to log traffic with tcpdump, > similar to pflog(4). > To use the feature, just put the 'log' options on rules > you are interested in, e.g. > > ipfw add 5000 count log .... > > and run > tcpdump -ni ipfw0 ... > > net.inet.ip.fw.verbose=0 enables logging to ipfw0, > net.inet.ip.fw.verbose=1 sends logging to syslog as before. Which is now default? Previously net.inet.ip.fw.verbose was conditioned by IPFIREWALL_VERBOSE in kernel options - has this changed? I gather it's either ipfw0 or syslog, both (or neither?) not being possible? Does 'ipfw {en,dis}able verbose' now toggle between these two? Thanks for this heads up, I'm soon to update my 8.0 to -stable and use log a lot, tailing /var/log/security for keeping an eye on some things. While I'm at it :) have you given any more thought to disambiguating the overloading of net.inet.ip.fw.one_pass for both dummynet and ipfw nat? cheers, Ian