Re: ipfw userland breaks again.

2002-12-18 Thread Dan Lukes
[EMAIL PROTECTED] wrote, On 12/14/02 23:13: I have a patch here which makes the IPFIREWALL_DEFAULT_TO_ACCEPT tunable at module load time using a kernel environment variable. Looks to me that it would do what you want. Should we think about kldload logic change ? Loading modules giving them

Re: ipfw userland breaks again.

2002-12-17 Thread Matthew Dillon
Huh. Interesting. The IP_FW_ADD test threw me but now that I look at the code more closely it is only there because IP_FW_ADD is a valid SOPT_GET op as well as a SOPT_SET op. But FLUSH and friends are SOPT_SET only. Now I see how it works :-)

Re: ipfw userland breaks again.

2002-12-17 Thread Ruslan Ermilov
On Tue, Dec 17, 2002 at 10:23:15AM -0800, Matthew Dillon wrote: Huh. Interesting. The IP_FW_ADD test threw me but now that I look at the code more closely it is only there because IP_FW_ADD is a valid SOPT_GET op as well as a SOPT_SET op. But FLUSH and friends are SOPT_SET

Re: ipfw userland breaks again.

2002-12-16 Thread Ruslan Ermilov
On Sun, Dec 15, 2002 at 08:47:23PM +, Nik Clayton wrote: On Sun, Dec 15, 2002 at 11:08:01AM -0800, Matthew Dillon wrote: : ::This is complete BULLSHIT, Warner. : :Your attitude it totally unacceptible. Learn to play well with :others, or get the fuck out of the project.

Re: ipfw userland breaks again.

2002-12-16 Thread Ruslan Ermilov
On Sat, Dec 14, 2002 at 02:09:13PM -0800, Matthew Dillon wrote: : :On Sat, Dec 14, 2002 at 12:38:13PM -0800, Matthew Dillon wrote: : then, as usual, IPFW with the new kernel and : old world fails utterly and now the fragging machine can't access the : :Hear hear!! I am tempted to

Re: ipfw userland breaks again.

2002-12-16 Thread Julian Elischer
On Mon, 16 Dec 2002, Ruslan Ermilov wrote: On Sat, Dec 14, 2002 at 02:09:13PM -0800, Matthew Dillon wrote: : :On Sat, Dec 14, 2002 at 12:38:13PM -0800, Matthew Dillon wrote: : then, as usual, IPFW with the new kernel and : old world fails utterly and now the fragging machine

Re: ipfw userland breaks again.

2002-12-16 Thread Matthew Dillon
:How this could be helpful in a remote upgrade scenario that has :IPFW ABI incompatibility issues? : :One alternative approach would be to not compile IPFW into a :kernel but rather have it loaded as a module. Then, you :install new kernel, edit out ipfw_enable=3DYES for the time :being, reboot

Re: ipfw userland breaks again.

2002-12-16 Thread M. Warner Losh
In message: [EMAIL PROTECTED] Matthew Dillon [EMAIL PROTECTED] writes: : Here's a new patch. But there isn't much of a point if we do not : also disallow ipfw DELETE and FLUSH. And the pipe config commands : as well as anything else that changes the firewall state.

Re: ipfw userland breaks again.

2002-12-15 Thread M. Warner Losh
In message: [EMAIL PROTECTED] Matthew Dillon [EMAIL PROTECTED] writes: : :I disagree with committing this hack; keep it as a local mod if you must. : : : :As to the problem; don't wait for Luigi to fix the ABI problems, do it : :yourself. Good things happen when folks are PO'd and

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
:I don't like the patch from a security standpoint. It makes it to :easy to turn off a firewall. If you want to be that stupid about :security, you should just make the default be 'accept all' and be done :with it. I'm opposed to this patch unless you can get the security :officer to sign off

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
: :The real fix is to fix the abi problems. : :Warner Doh!!Thanks for volunteering to fix the ABI problems. No? You don't want to do it? Gee, I saw that one coming a mile away! THEN DON'T COMPLAIN. This is not a fucking security issue. This is a patch that solves a

Re: ipfw userland breaks again.

2002-12-15 Thread Anders Nordby
Hi, On Sun, Dec 15, 2002 at 10:26:22AM -0800, Matthew Dillon wrote: This is complete BULLSHIT, Warner. This patch exists precisely so the firewall can be turned on in secure mode. It does not make it any easier to turn off then adding a rule: ipfw add 2 allow all from any

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
:How about sending the patch to the Technical Review Board, trb@ instead. : :Thanks. : :Cheers, : :-- :Anders. Getting bored sitting on your buns? It's already gone to core and, frankly, I think core is the proper forum now that Warner has declared it a security issue (when it

Re: ipfw userland breaks again.

2002-12-15 Thread Miguel Mendez
On Sun, 15 Dec 2002 10:26:22 -0800 (PST) Matthew Dillon [EMAIL PROTECTED] wrote: Hi, must...resist... So don't give me this bullshit about the patch being a security issue. YOU KNOW IT ISN'T. No, Warner has a point, that patch is simply bandaid (albeit a good one). Now you are

Re: ipfw userland breaks again.

2002-12-15 Thread M. Warner Losh
:This is complete BULLSHIT, Warner. Your attitude it totally unacceptible. Learn to play well with others, or get the fuck out of the project. I am *NOT* blocking you. I'm telling you you need to get the SO's sign off to make sure that there isn't a security issue because the current

Re: ipfw userland breaks again.

2002-12-15 Thread M. Warner Losh
In message: [EMAIL PROTECTED] Matthew Dillon [EMAIL PROTECTED] writes: : : : :The real fix is to fix the abi problems. : : : :Warner : : Doh!!Thanks for volunteering to fix the ABI problems. No? You : don't want to do it? Gee, I saw that one coming a mile away! :

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
: :In message: [EMAIL PROTECTED] :Matthew Dillon [EMAIL PROTECTED] writes: :: : :: :The real fix is to fix the abi problems. :: : :: :Warner :: :: Doh!!Thanks for volunteering to fix the ABI problems. No? You :: don't want to do it? Gee, I saw that one coming a mile

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
: ::This is complete BULLSHIT, Warner. : :Your attitude it totally unacceptible. Learn to play well with :others, or get the fuck out of the project. : :I am *NOT* blocking you. I'm telling you you need to get the SO's :sign off to make sure that there isn't a security issue because the

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
: ::This is complete BULLSHIT, Warner. : :Your attitude it totally unacceptible. Learn to play well with :others, or get the fuck out of the project. Really? You think I should learn to play well with others? You think it's appropriate to request that I spend a man week

Re: ipfw userland breaks again.

2002-12-15 Thread M. Warner Losh
In message: [EMAIL PROTECTED] Matthew Dillon [EMAIL PROTECTED] writes: : : : : ::This is complete BULLSHIT, Warner. : : : :Your attitude it totally unacceptible. Learn to play well with : :others, or get the fuck out of the project. : : : :I am *NOT* blocking you. I'm telling

Re: ipfw userland breaks again.

2002-12-15 Thread M. Warner Losh
In message: [EMAIL PROTECTED] Matthew Dillon [EMAIL PROTECTED] writes: : When people say and do reasonable things I am a reasonable guy. When : people say and do unreasonable things then I fight tooth and nail. : It's that simple. If you don't like it, then tough.

Re: ipfw userland breaks again.

2002-12-15 Thread Scott Long
Matthew Dillon wrote: [ useless drivel removed ] There's still a TODO list for 5.0. It was even mailed out to developers@ this morning. If you have time to spare in your day, please focus your attention to that right now. Also, fixing the ipfw2 abi is probably a good item to put on the

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
:Also, fixing the ipfw2 abi is probably a good item to put on the list :for getting 5.x to 5-STABLE. Please don't waste time with band-aids :that will make people forget that ipfw2 needs attention. : :Scott This is a reasonable line of argument but my opinion is that it hasn't been

Re: ipfw userland breaks again.

2002-12-15 Thread Garrett Wollman
On Sun, 15 Dec 2002 10:26:22 -0800 (PST), Matthew Dillon [EMAIL PROTECTED] said: Now you are forcing me to go to core. It's absolutely ridiculous and you know it. Goddamn it, next time I won't even bother posting if all I get is this sort of crap. All the better, if you refuse

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
:I've answered this in other email, but you need to expand the check at :the top of ipfw_ctl to include this new message as one of the ones :that is disallowed at high security levels. : :Warner Here's a new patch. But there isn't much of a point if we do not also disallow ipfw DELETE

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
: :On Sun, 15 Dec 2002 10:26:22 -0800 (PST), Matthew Dillon :[EMAIL PROTECTED] said: : : Now you are forcing me to go to core. It's absolutely ridiculous and : you know it. Goddamn it, next time I won't even bother posting if all : I get is this sort of crap. : :All the better, if

Re: ipfw userland breaks again.

2002-12-15 Thread Garrett Wollman
On Sun, 15 Dec 2002 11:41:26 -0800 (PST), Matthew Dillon [EMAIL PROTECTED] said: If people are reasonable with me, I am reasonable right back. If people are unreasonable, they shouldn't expect me to be reasonable in response. It's really that simple. As a FreeBSD developer, you

Re: ipfw userland breaks again.

2002-12-15 Thread Nate Lawson
On Sun, 15 Dec 2002, Matthew Dillon wrote: Here's a new patch. But there isn't much of a point if we do not also disallow ipfw DELETE and FLUSH. And the pipe config commands as well as anything else that changes the firewall state. Firewalls are there to protect the systems

Re: ipfw userland breaks again.

2002-12-15 Thread Matthew Dillon
What it comes down to is what developers are willing to do. My contribution is 'ipfw unbreak'. If someone else has a solution that they are willing to work on and commit in the next four weeks, then fine. But if nobody is willing to work on and commit another solution in the

Re: ipfw userland breaks again.

2002-12-15 Thread Nik Clayton
On Sun, Dec 15, 2002 at 11:08:01AM -0800, Matthew Dillon wrote: : ::This is complete BULLSHIT, Warner. : :Your attitude it totally unacceptible. Learn to play well with :others, or get the fuck out of the project. Really? You think I should learn to play well with others?

ipfw userland breaks again.

2002-12-14 Thread Matthew Dillon
!@#$Q@#$@#$@#$ This is about the 90th time my -current box has become unusable. First it won't let me installworld because of some signal snafu with the kernel being too old, then, as usual, IPFW with the new kernel and old world fails utterly and now the fragging machine

Re: ipfw userland breaks again.

2002-12-14 Thread David O'Brien
On Sat, Dec 14, 2002 at 12:38:13PM -0800, Matthew Dillon wrote: then, as usual, IPFW with the new kernel and old world fails utterly and now the fragging machine can't access the Hear hear!! I am tempted to have /sbin/ipfw moved to src/sys. To Unsubscribe: send mail to [EMAIL

Re: ipfw userland breaks again.

2002-12-14 Thread Matthew Dillon
: :On Sat, Dec 14, 2002 at 12:38:13PM -0800, Matthew Dillon wrote: : then, as usual, IPFW with the new kernel and : old world fails utterly and now the fragging machine can't access the : :Hear hear!! I am tempted to have /sbin/ipfw moved to src/sys. How about something like this

Re: ipfw userland breaks again.

2002-12-14 Thread Maxime Henrion
Matthew Dillon wrote: : :On Sat, Dec 14, 2002 at 12:38:13PM -0800, Matthew Dillon wrote: : then, as usual, IPFW with the new kernel and : old world fails utterly and now the fragging machine can't access the : :Hear hear!! I am tempted to have /sbin/ipfw moved to src/sys.

Re: ipfw userland breaks again.

2002-12-14 Thread Matthew Dillon
: :I have a patch here which makes the IPFIREWALL_DEFAULT_TO_ACCEPT tunable :at module load time using a kernel environment variable. Looks to me :that it would do what you want. : :Maxime No, this isn't what I want. I want something that can be articulated without having to reboot the

Re: ipfw userland breaks again.

2002-12-14 Thread Maxime Henrion
Matthew Dillon wrote: :I have a patch here which makes the IPFIREWALL_DEFAULT_TO_ACCEPT tunable :at module load time using a kernel environment variable. Looks to me :that it would do what you want. No, this isn't what I want. I want something that can be articulated without

Re: ipfw userland breaks again.

2002-12-14 Thread Matthew Dillon
:Now I would really dislike seeing your patch in the tree, since I :consider it's a rather crude hack to circumvent the ABI problems of :ipfw. As I've already said to luigi in private e-mail (I would be :surprised if this hasn't been already discussed in the lists as well), :the proper way to

Re: ipfw userland breaks again.

2002-12-14 Thread Sam Leffler
:Now I would really dislike seeing your patch in the tree, since I :consider it's a rather crude hack to circumvent the ABI problems of :ipfw. As I've already said to luigi in private e-mail (I would be :surprised if this hasn't been already discussed in the lists as well), :the proper way

Re: ipfw userland breaks again.

2002-12-14 Thread Matthew Dillon
:I disagree with committing this hack; keep it as a local mod if you must. : :As to the problem; don't wait for Luigi to fix the ABI problems, do it :yourself. Good things happen when folks are PO'd and won't settle for the :status quo. : :Sam I'm sorry you disagree, but it doesn't