Subject: Re: You have received a postcard ! - msg#00020

Previous Message by Date: click to view message preview

Re: IPFW1->2 regression: "in/out/via any" ignored

On Thu, Mar 23, 2006 at 04:47:17PM +0200, Dmitry Pryanishnikov wrote: ... > > For locally generated packets i admit 'recv any' may be of some use, > > and this is unsupported. There are probably workaround such as 'src-ip me' > > Oops! How can one know that feature which is documented from the beginning, > which worked in ipfw1 - became 'unsupported' in ipfw2? It's clearly a > regression to me, given that I can't use ipfw1 with modern RELENGs. it's a bug, never seen one before ? :) > > which may be of some help here although this particular instruction > > can be expensive as it has to scan the list of local addresses. > > I don't understand that part. Given that 'out recv ifx' still works, we have > incoming interface name for every transit outgoing packet. I'm sure there is > some indication in this field that clearly says: "packet _is_ > locally-generated". Isn't it? yes, i am just saying that there is no code in the kernel and in the userland compiler that interprets that info correctly. I repeat - it's a bug. I'ts probably trivial to fix, but at the moment i don't have the time to work on it. If you want, the places to touch are: sbin/ipfw/ipfw2.c the two places which parse TOK_RECV and O_RECV, should be enabled to deal with 'any' as an interface name and encode it somewhere in the instruction (see function fill_iface(), at the moment 'any' is interpreted as NULL, it could become some magic value e.g. 0x1 or the like) sys/netinet/ip_fw2.c in function iface_match(), you should check whether this magic value is present in the instruction and then return 0 or 1 depending on whether or not the 'ifp' argument is non-null. and this should be all you need to do (testing, of course :) cheers luigi > Sincerely, Dmitry > -- > Atlantis ISP, System Administrator > e-mail: dmitry@xxxxxxxxxxxxxx > nic-hdl: LYNX-RIPE _______________________________________________ freebsd-ipfw@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"

Next Message by Date: click to view message preview

Re: You have received a postcard !

On Wednesday 22 March 2006 08:07, postcard.com wrote: > http://toosexy.lydo.org/postcard.gif.exe pls explain your details _______________________________________________ freebsd-ipfw@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"

Previous Message by Thread: click to view message preview

IPFW1->2 regression: "in/out/via any" ignored

Hello! I've found a serious regression during the IPFW1->2 transition. I'm using "recv any" construction to match transit packets only. Manpage ipfw(8) clearly says: recv | xmit | via {ifX | if* | ipno | any} Matches packets received, transmitted or going through, respec- tively, the interface specified by exact name (ifX), by device name (if*), by IP address, or through some interface. ...........................................^^^^^^^^^^^^^^^^^^^^^^ A packet may not have a receive or transmit interface: packets originating from the local host have no receive interface, while packets destined for the local host have no transmit interface. So the following rule must not match locally-originated packets, thus matching only transit ones: 00001 0 0 count ip from any to any out recv any However, after transition to IPFW2 (RELENG_4, also have tried RELENG_6, CURRENT - results are the same) part "recv any" just gets ignored, and rules starts to match all outgoing packets, not just transit ones: root@test3# ipfw add 1 count ip from any to any out recv any 00001 count ip from any to any out root@test3# ipfw show 00001 7 1932 count ip from any to any out I've searched "ipfw any" context in our PR database and didn't find anything. Is it known issue? Does somebody work on it? Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@xxxxxxxxxxxxxx nic-hdl: LYNX-RIPE _______________________________________________ freebsd-ipfw@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"

Next Message by Thread: click to view message preview

Re: You have received a postcard !

On Wednesday 22 March 2006 08:07, postcard.com wrote: > http://toosexy.lydo.org/postcard.gif.exe pls explain your details _______________________________________________ freebsd-ipfw@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"