From owner-svn-src-all@freebsd.org Tue Aug 6 01:13:20 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EAFA0B1FE3; Tue, 6 Aug 2019 01:13:20 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from cell.glebi.us (glebi.us [162.251.186.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "cell.glebi.us", Issuer "cell.glebi.us" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 462c8J54gQz4S1d; Tue, 6 Aug 2019 01:13:20 +0000 (UTC) (envelope-from glebius@freebsd.org) Received: from cell.glebi.us (localhost [127.0.0.1]) by cell.glebi.us (8.15.2/8.15.2) with ESMTPS id x761DIqh017377 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Mon, 5 Aug 2019 18:13:18 -0700 (PDT) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.glebi.us (8.15.2/8.15.2/Submit) id x761DHRA017376; Mon, 5 Aug 2019 18:13:18 -0700 (PDT) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.glebi.us: glebius set sender to glebius@freebsd.org using -f Date: Mon, 5 Aug 2019 18:13:17 -0700 From: Gleb Smirnoff To: Cy Schubert Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349929 - head/sys/contrib/ipfilter/netinet Message-ID: <20190806011317.GG1398@FreeBSD.org> References: <201907120159.x6C1x9go013298@repo.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201907120159.x6C1x9go013298@repo.freebsd.org> User-Agent: Mutt/1.12.1 (2019-06-15) X-Rspamd-Queue-Id: 462c8J54gQz4S1d X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-1.38 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-0.85)[-0.853,0]; NEURAL_HAM_SHORT(-0.53)[-0.525,0]; ASN(0.00)[asn:27348, ipnet:162.251.186.0/24, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 01:13:21 -0000 Hi, On Fri, Jul 12, 2019 at 01:59:09AM +0000, Cy Schubert wrote: C> Log: C> Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c. C> The reason for this is that ipftest(8), which still works on FreeBSD-11, C> fails to link to it, breaking stable/11 builds. C> C> ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle. C> glebius@ suggested we disable building it until I can get around to C> fixing it. Hence this was not caught in -current. C> C> The intention is to fix ipftest(8) as it is used by the netbsd-tests C> (imported by ngie@ many moons ago) for regression testing. AFAIR, maintaining ipftest always was a PITA, as it wants to compile lots of kernel code into a userland utility. Of course, once disabled it will bitrot very quickly. I'd suggest to achive functionality of ipftest in a different way. Add a new ioctl() to the pfil(9), that will read a packet from the userland and match it against a given pfil head and report the result. This will make a universal tool for packet against ruleset checking for all existing firewalls, including ipfw and pf. Let's call it pfiltest utility. It can also be a part of existing pfilctl, invoked as "pfilctl test". The second missing bit of functionality is that ipftest can test against not the running ruleset, but some other ruleset. This can be achieved by adding multiple ruleset feature into existing firewalls. The pfil(9) already has notion of ruleset names, but so far ipfw, pf and ipf provide only "default". Once a firewall is able to make alternative rulesets, we can match this functionality: ipftest would install temporary ruleset, don't connect it to any head, run the new ioctl() on it, then destroy the ruleset. I'm sorry to come with a suggestion but can't contribute any time into it. -- Gleb Smirnoff