From owner-svn-src-all@freebsd.org Tue Aug 6 02:06:56 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3B64CB2EAC; Tue, 6 Aug 2019 02:06:56 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 462dL64xx4z4Tpl; Tue, 6 Aug 2019 02:06:54 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id uosDhsCgsSrVcuosEhgkXV; Mon, 05 Aug 2019 20:06:51 -0600 X-Authority-Analysis: v=2.3 cv=L5ZjvNb8 c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=kj9zAlcOel0A:10 a=FmdZ9Uzk2mMA:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=ZkAF0KX_x8muuJWAYVIA:9 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTPS id EA3771E8; Mon, 5 Aug 2019 19:06:48 -0700 (PDT) Received: from slippy.cwsent.com (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id x7626mIc053398; Mon, 5 Aug 2019 19:06:48 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Received: from slippy (cy@localhost) by slippy.cwsent.com (8.15.2/8.15.2/Submit) with ESMTP id x7626mkb053395; Mon, 5 Aug 2019 19:06:48 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201908060206.x7626mkb053395@slippy.cwsent.com> X-Authentication-Warning: slippy.cwsent.com: cy owned process doing -bs X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Gleb Smirnoff cc: Cy Schubert , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r349929 - head/sys/contrib/ipfilter/netinet In-reply-to: <20190806011317.GG1398@FreeBSD.org> References: <201907120159.x6C1x9go013298@repo.freebsd.org> <20190806011317.GG1398@FreeBSD.org> Comments: In-reply-to Gleb Smirnoff message dated "Mon, 05 Aug 2019 18:13:17 -0700." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 05 Aug 2019 19:06:48 -0700 X-CMAE-Envelope: MS4wfMNMasMsZncm6imcKeyvj8GbMMulbgvhoy4z6xSN81gtn/BFI+DDuKZ7JCDj8XyZcMs84veR4U1m5OpMad8hIHa5De9wNsSjPswBjiVdLsz/k5gaSPAR CzdVr+vQG2joYyIFcnlGFLbL0gaDMYwXIv52xJnCkJ6jzlZ+1eu7uU2DzVWwyWdne1uwm60dyj3KDm1R4BCXCqujCwNw5OUtYKFyHsDi4FGwHiOn3QVBi5hg E9okz9f0kj5I3xjAn8/GWDwxec8DDPVG9BnATEBiizFq+udHY4QJHqZu0SYmG0a9DlrwESIUrvAInsqCPX2jPQ== X-Rspamd-Queue-Id: 462dL64xx4z4Tpl X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of cy.schubert@cschubert.com has no SPF policy when checking 64.59.136.139) smtp.mailfrom=cy.schubert@cschubert.com X-Spamd-Result: default: False [-3.90 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_FIVE(0.00)[5]; HAS_REPLYTO(0.00)[Cy.Schubert@cschubert.com]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; RCPT_COUNT_FIVE(0.00)[5]; REPLYTO_EQ_FROM(0.00)[]; IP_SCORE(-2.30)[ip: (-5.76), ipnet: 64.59.128.0/20(-3.18), asn: 6327(-2.48), country: CA(-0.09)]; NEURAL_HAM_SHORT(-1.00)[-0.999,0]; RCVD_IN_DNSWL_NONE(0.00)[139.136.59.64.list.dnswl.org : 127.0.5.0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; RCVD_TLS_LAST(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[17.125.67.70.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Aug 2019 02:06:56 -0000 In message <20190806011317.GG1398@FreeBSD.org>, Gleb Smirnoff writes: > Hi, > > On Fri, Jul 12, 2019 at 01:59:09AM +0000, Cy Schubert wrote: > C> Log: > C> Move the new ipf_pcksum6() function from ip_fil_freebsd.c to fil.c. > C> The reason for this is that ipftest(8), which still works on FreeBSD-11, > C> fails to link to it, breaking stable/11 builds. > C> > C> ipftest(8) was broken (segfault) sometime during the FreeBSD-12 cycle. > C> glebius@ suggested we disable building it until I can get around to > C> fixing it. Hence this was not caught in -current. > C> > C> The intention is to fix ipftest(8) as it is used by the netbsd-tests > C> (imported by ngie@ many moons ago) for regression testing. > > AFAIR, maintaining ipftest always was a PITA, as it wants to compile > lots of kernel code into a userland utility. Of course, once disabled > it will bitrot very quickly. > > I'd suggest to achive functionality of ipftest in a different way. Add > a new ioctl() to the pfil(9), that will read a packet from the userland > and match it against a given pfil head and report the result. This will > make a universal tool for packet against ruleset checking for all existing > firewalls, including ipfw and pf. Let's call it pfiltest utility. It can > also be a part of existing pfilctl, invoked as "pfilctl test". This would make firewall testing more consistent. The approach currently used by SoC project uses VNET jails. An ioctl() to inject packets into pfil(9) is intriguing. ipftest(8) uses pcap file for testing, providing serially reproducible input. OTOH, a userland utility can be rebuilt at will without affecting the running system. A person could test yet to be implemented changes without affecting the currently running packet filter. Still this is an interesting idea. When I was an MVS systems programmer I had developed extensions to the JES2 job entry subsystem. MVS allowed for a primary and secondary subsystem allowing the primary to process jobs while the secondary could be used for testing or other purposes. In a similar vein, possibly having a primary and secondary pfil(9) to which alternate packet filters could attach for would allow for testing without the disruption of kldload/kldunload of the primary packet filters or even worse, reboot. (And reboots for the sake of testing are annoying for the impatient.) Anticipating the next point, why not a VM? Again, time. > > The second missing bit of functionality is that ipftest can test against > not the running ruleset, but some other ruleset. This can be achieved by > adding multiple ruleset feature into existing firewalls. The pfil(9) already > has notion of ruleset names, but so far ipfw, pf and ipf provide only "defaul > t". ipfilter already uses a active and inactive rulesets. Best practice is to clear and load new rules into the inactive ruleset and switch it to active. If it causes problems, switch back. One could extend this functionality to multiple rulesets or map the active/inactive rulesets back to pfil(9). > Once a firewall is able to make alternative rulesets, we can match this > functionality: ipftest would install temporary ruleset, don't connect it > to any head, run the new ioctl() on it, then destroy the ruleset. > > I'm sorry to come with a suggestion but can't contribute any time into it. Thanks for giving me more things to ponder. Lastly, in defense of ipftest, the NetBSD tests that ngie@ imported uses ipftest, as do our friends at NetBSD. If anything I'd like to at least maintain the same UI such that sharing of scripts, tests, and ideas would still be possible. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.