Re: 2 ports broken after gcc import
> Alright, it had nothing to do with ACL's. Unknown to me, someone got on > that machine and enabled the firewall, and added rules. Those rules were > causing the problem (I'm not sure why he added a firewall on a machine > already behind one on a 192.168.0.0/24 network). Anyway, sorry for > wasting peoples' time, I should've checked that first. I figured out exactly which line caused this problem too, he added "flags S" to the rule that allowed outgoing traffic, causing only the syn to be allowed through the firewall, but breaking several other things, and he did it at around the same time as the gcc import. Anyway, lesson learned. Thanks for help whoever gave it. Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
> Bizarre. I use ACLs in my kernel daily, and I use nmap almost daily, > and haven't seen this. If you re-add ACLs with a fresh kernel build, > does the problem come back? Could you look at ktraces of nmap with and > without ACLs and see what causes it? Do you have ACLs enabled on any > file systems, or are you just running with the kernel option? Alright, it had nothing to do with ACL's. Unknown to me, someone got on that machine and enabled the firewall, and added rules. Those rules were causing the problem (I'm not sure why he added a firewall on a machine already behind one on a 192.168.0.0/24 network). Anyway, sorry for wasting peoples' time, I should've checked that first. Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
> I think I missed the message that this is a response to, but here's an > answer to the question: UFS_ACL controls only the introduction of ACL > code into UFS1 and UFS2 file systems, and enables conditional use of > ACLs code if the ACLs flag is set on a file system. If the ACLs flag is > not set on a file system, the UFS1/UFS2 code is intended to run along > its original permissions-based code path. Devfs isn't based on UFS, and > so it should be unaffected by the UFS_ACL flag. If there's a definite > causal relationship between UFS_ACL and the nmap failure, I can't help > but wonder if it's a result of a timing, code layout, or memory > allocation change of some sort. I wouldn't rule out a bug in the ACL > code, but it seems somewhat unlikely as, without the ACLs flag set, the > code path in the UFS code should be minimally changed... > > The best path to track this down is to try to figure out for sure which > system call is failing, compare expected vs. wire network transmissions, > and see if we can reproduce this in a simpler test program. > > We've recently made some changes in how the permissions of new objects > are calculated using ACLs; they were made somewhat before the gcc > changes, I believe, but it might also be interesting to see test cases > from before both changes, in between the changes, and after both, to > confirm that it was definitely the gcc change that kicked off the > problem, rather than the UFS change. Finally, I'd like to know what, if > any, optimization flags you're using for the kernel compile... > Well, don't worry too much, I went back and checked the kernel config I used for the kernel that was having problems, and it did indeed have IPFILTER compiled in, BUT I had no rules loading. Both of the rules files were empty. (That's basically what I said in my previous message). I just took me the better part of a night to sort out what I had on that box and remember what I did. Anyway, like I said, I won't be back on that box until Tuesday so I'll have to let you know which knob I turned then... although if it WAS the firewall that's really wierd since I had no rules loaded, and my other box that never had the problem DID have rules loaded. Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
> I just built a fresh nmap on my -current box and it appears to work fine > for me, as did the older nmap. So I guess that leaves me firmly in the > "unable to reproduce" camp. I have noticed that, on my wi0 boxes, I > tend to get a fair number of ENOBUFS errors when nmaping, but that > appears to be unrelated to the presence of UFS_ACL in the kernel. > > Are your different boxes using the same type of network interface? Do > you rely on routed or use static routes? If you tcpdump the interface, > do any nmap packets get out -- for example, the initial ping it performs > before scanning a host, or none? Well, on one of my boxes, I have IPFILTER, but no ACL's and it works fine, on the one that was previously not working, I had IPFILTER (but with no rules set) and ACL's. I removed all references to ipfilter from rc.conf (my ipf.rules and ipnat.rules were blank), removed IPFILTER and ACL from the kernel, recompiled, and rebooted, and it started working. So now I just have to go back and figure out which knob I turned to fix things. I'm running late now though so I'll let you know as soon as I can get back to it (the computer that was really having the problems was at work, so I can't get to it until tuesday). Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
On Fri, 29 Aug 2003, Kenneth Culver wrote: > > Might devfs propagate ACL characteristics via /dev nodes into > > applications? Otherwise, the symptom you described would have made me > > point to the IP firewall first. > > My machine that was showing the problem didn't have a firewall enabled. > I'll still mess with it some more to see what I can come up with, maybe > it was the firewall, but I don't remember having ipfilter or ipfirewall > in the kernel but it'd been a while since I edited that config file or > compiled that kernel so maybe I took out the firewall options and never > compiled, and then compiled today. (It's been about a month since I did > anything kernel related on that machine). Anyway, when I pinpoint the > problem I'll mail the list. I think I missed the message that this is a response to, but here's an answer to the question: UFS_ACL controls only the introduction of ACL code into UFS1 and UFS2 file systems, and enables conditional use of ACLs code if the ACLs flag is set on a file system. If the ACLs flag is not set on a file system, the UFS1/UFS2 code is intended to run along its original permissions-based code path. Devfs isn't based on UFS, and so it should be unaffected by the UFS_ACL flag. If there's a definite causal relationship between UFS_ACL and the nmap failure, I can't help but wonder if it's a result of a timing, code layout, or memory allocation change of some sort. I wouldn't rule out a bug in the ACL code, but it seems somewhat unlikely as, without the ACLs flag set, the code path in the UFS code should be minimally changed... The best path to track this down is to try to figure out for sure which system call is failing, compare expected vs. wire network transmissions, and see if we can reproduce this in a simpler test program. We've recently made some changes in how the permissions of new objects are calculated using ACLs; they were made somewhat before the gcc changes, I believe, but it might also be interesting to see test cases from before both changes, in between the changes, and after both, to confirm that it was definitely the gcc change that kicked off the problem, rather than the UFS change. Finally, I'd like to know what, if any, optimization flags you're using for the kernel compile... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
On Fri, 29 Aug 2003, Kenneth Culver wrote: > > Bizarre. I use ACLs in my kernel daily, and I use nmap almost daily, > > and haven't seen this. If you re-add ACLs with a fresh kernel build, > > does the problem come back? Could you look at ktraces of nmap with and > > without ACLs and see what causes it? Do you have ACLs enabled on any > > file systems, or are you just running with the kernel option? > > I was running with just the kernel option, and nothing configured for > it. I can't think of what else the problem could be, when I recompiled > the kernel it just started working again, it might not have anything at > all to do with ACL's and more to do with the fact that I just recompiled > it. One of my other -CURRENT machines is working now as well after a > recompile. I'll do more testing to see if I can pinpoint the problem > and I'll probably have results by Tuesday (holiday weekend :-P ) I just built a fresh nmap on my -current box and it appears to work fine for me, as did the older nmap. So I guess that leaves me firmly in the "unable to reproduce" camp. I have noticed that, on my wi0 boxes, I tend to get a fair number of ENOBUFS errors when nmaping, but that appears to be unrelated to the presence of UFS_ACL in the kernel. Are your different boxes using the same type of network interface? Do you rely on routed or use static routes? If you tcpdump the interface, do any nmap packets get out -- for example, the initial ping it performs before scanning a host, or none? Have a good holiday weekend :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
On Fri, Aug 29, 2003 at 02:31:56PM -0400, Kenneth Culver wrote: > Did the same thing, portupgrade -f nmap, and then ran it with the same > flags, and I'm still getting the same problem. It's doing this on all 3 of > my FreeBSD-CURRENT machines as well. > > Ken Are you running a packet filter of some sort? Jiawei -- "Without the userland, the kernel is useless." --inspired by The Tao of Programming ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
> Might devfs propagate ACL characteristics via /dev nodes into > applications? Otherwise, the symptom you described would have made me > point to the IP firewall first. > My machine that was showing the problem didn't have a firewall enabled. I'll still mess with it some more to see what I can come up with, maybe it was the firewall, but I don't remember having ipfilter or ipfirewall in the kernel but it'd been a while since I edited that config file or compiled that kernel so maybe I took out the firewall options and never compiled, and then compiled today. (It's been about a month since I did anything kernel related on that machine). Anyway, when I pinpoint the problem I'll mail the list. Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
> Bizarre. I use ACLs in my kernel daily, and I use nmap almost daily, > and haven't seen this. If you re-add ACLs with a fresh kernel build, > does the problem come back? Could you look at ktraces of nmap with and > without ACLs and see what causes it? Do you have ACLs enabled on any > file systems, or are you just running with the kernel option? I was running with just the kernel option, and nothing configured for it. I can't think of what else the problem could be, when I recompiled the kernel it just started working again, it might not have anything at all to do with ACL's and more to do with the fact that I just recompiled it. One of my other -CURRENT machines is working now as well after a recompile. I'll do more testing to see if I can pinpoint the problem and I'll probably have results by Tuesday (holiday weekend :-P ) Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
Kenneth Culver <[EMAIL PROTECTED]> writes: >> Just for more info, when was the last time you updated your /etc? on my >> 4th -CURRENT machine, with the same compiler etc... I havn't updated my >> /etc/ since June 1, and that machine works, the other 3 have been updated >> very recently, like within the last few weeks, and they're all broken. So >> I guess it's not a compiler issue, but some kind of configuration issue. I >> can't think of what the problem could be though. >> > OK, checked over my kernel configurations and found that ACL's were in my > kernel configuration. I took that option out and things are working again. > I have no idea how ACL's could've caused what I was seeing, but everything > is working now. Thanks for your help. Might devfs propagate ACL characteristics via /dev nodes into applications? Otherwise, the symptom you described would have made me point to the IP firewall first. -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
On Fri, 29 Aug 2003, Kenneth Culver wrote: > > Just for more info, when was the last time you updated your /etc? on my > > 4th -CURRENT machine, with the same compiler etc... I havn't updated my > > /etc/ since June 1, and that machine works, the other 3 have been updated > > very recently, like within the last few weeks, and they're all broken. So > > I guess it's not a compiler issue, but some kind of configuration issue. I > > can't think of what the problem could be though. > > > OK, checked over my kernel configurations and found that ACL's were in my > kernel configuration. I took that option out and things are working again. > I have no idea how ACL's could've caused what I was seeing, but everything > is working now. Thanks for your help. Bizarre. I use ACLs in my kernel daily, and I use nmap almost daily, and haven't seen this. If you re-add ACLs with a fresh kernel build, does the problem come back? Could you look at ktraces of nmap with and without ACLs and see what causes it? Do you have ACLs enabled on any file systems, or are you just running with the kernel option? Robert N M Watson FreeBSD Core Team, TrustedBSD Projects [EMAIL PROTECTED] Network Associates Laboratories ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
> Just for more info, when was the last time you updated your /etc? on my > 4th -CURRENT machine, with the same compiler etc... I havn't updated my > /etc/ since June 1, and that machine works, the other 3 have been updated > very recently, like within the last few weeks, and they're all broken. So > I guess it's not a compiler issue, but some kind of configuration issue. I > can't think of what the problem could be though. > OK, checked over my kernel configurations and found that ACL's were in my kernel configuration. I took that option out and things are working again. I have no idea how ACL's could've caused what I was seeing, but everything is working now. Thanks for your help. Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
Kenneth Culver <[EMAIL PROTECTED]> wrote: > Just for more info, when was the last time you updated your /etc? Every time I do a buildworld I run mergemaster and go through every diff. So the last time would be august the 24th. From what I remember there have been a few changes to network related rc scripts etc so maybe you should give updating /etc a go? Matt. -- email: [EMAIL PROTECTED] - web: http://xtaz.co.uk/ Hardware, n.: The parts of a computer system that can be kicked. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
Just for more info, when was the last time you updated your /etc? on my 4th -CURRENT machine, with the same compiler etc... I havn't updated my /etc/ since June 1, and that machine works, the other 3 have been updated very recently, like within the last few weeks, and they're all broken. So I guess it's not a compiler issue, but some kind of configuration issue. I can't think of what the problem could be though. Ken On Fri, 29 Aug 2003, Kenneth Culver wrote: > > [EMAIL PROTECTED] root]# uname -a > > FreeBSD tao.xtaz.co.uk 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Sun Aug 24 13:35:21 > > BST 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TAO i386 > > > > [EMAIL PROTECTED] root]# gcc -v > > Using built-in specs. > > Configured with: FreeBSD/i386 system compiler > > Thread model: posix > > gcc version 3.3.1 [FreeBSD] > > > > [EMAIL PROTECTED] root]# nmap -sS -O 192.168.1.10 > > > > Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-29 19:21 BST > > Interesting ports on neo.xtaz.co.uk (192.168.1.10): > > (The 1636 ports scanned but not shown below are in state: closed) > > Port State Service > > 21/tcp openftp > > 22/tcp openssh > > 23/tcp opentelnet > > 111/tcpopensunrpc > > 113/tcpopenauth > > 1023/tcp opennetvenuechat > > 2049/tcp opennfs > > 6000/tcp openX11 > > Device type: general purpose > > Running (JUST GUESSING) : FreeBSD 5.X|4.X|2.X|3.X (97%), Amiga AmigaOS (92%), > > IBM AIX 5.X (90%), Apple Mac OS X 10.1.X (90%), Novell Netware 3.X|4.X|5.X > > (89%) > > Aggressive OS guesses: FreeBSD 5.0-RELEASE (97%), FreeBSD 4.3 - 4.4-RELEASE > > (93%), FreeBSD 4.7-RELEASE (X86) (93%), FreeBSD 5.1-CURRENT (June 2003) on > > Sparc64 (93%), AmigaOS Miami Deluxe 0.9 - Miami 3.2B (92%), AmigaOS 3.5/3.9 > > running Miami Deluxe 1.0c (92%), FreeBSD 2.2.1 - 4.1 (92%), FreeBSD 4.4-STABLE > > (92%), FreeBSD 4.7-STABLE (92%), IBM AIX 5.1 (90%) > > No exact OS matches for host (test conditions non-ideal). > > > > Nmap run completed -- 1 IP address (1 host up) scanned in 31.448 seconds > > > > Seems ok to me? > > > > Incidently it probably can't guess the box is fbsd because I have tcp > > extensions turned off on it. > > > Did the same thing, portupgrade -f nmap, and then ran it with the same > flags, and I'm still getting the same problem. It's doing this on all 3 of > my FreeBSD-CURRENT machines as well. > > Ken > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
> [EMAIL PROTECTED] root]# uname -a > FreeBSD tao.xtaz.co.uk 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Sun Aug 24 13:35:21 > BST 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TAO i386 > > [EMAIL PROTECTED] root]# gcc -v > Using built-in specs. > Configured with: FreeBSD/i386 system compiler > Thread model: posix > gcc version 3.3.1 [FreeBSD] > > [EMAIL PROTECTED] root]# nmap -sS -O 192.168.1.10 > > Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-29 19:21 BST > Interesting ports on neo.xtaz.co.uk (192.168.1.10): > (The 1636 ports scanned but not shown below are in state: closed) > Port State Service > 21/tcp openftp > 22/tcp openssh > 23/tcp opentelnet > 111/tcpopensunrpc > 113/tcpopenauth > 1023/tcp opennetvenuechat > 2049/tcp opennfs > 6000/tcp openX11 > Device type: general purpose > Running (JUST GUESSING) : FreeBSD 5.X|4.X|2.X|3.X (97%), Amiga AmigaOS (92%), > IBM AIX 5.X (90%), Apple Mac OS X 10.1.X (90%), Novell Netware 3.X|4.X|5.X > (89%) > Aggressive OS guesses: FreeBSD 5.0-RELEASE (97%), FreeBSD 4.3 - 4.4-RELEASE > (93%), FreeBSD 4.7-RELEASE (X86) (93%), FreeBSD 5.1-CURRENT (June 2003) on > Sparc64 (93%), AmigaOS Miami Deluxe 0.9 - Miami 3.2B (92%), AmigaOS 3.5/3.9 > running Miami Deluxe 1.0c (92%), FreeBSD 2.2.1 - 4.1 (92%), FreeBSD 4.4-STABLE > (92%), FreeBSD 4.7-STABLE (92%), IBM AIX 5.1 (90%) > No exact OS matches for host (test conditions non-ideal). > > Nmap run completed -- 1 IP address (1 host up) scanned in 31.448 seconds > > Seems ok to me? > > Incidently it probably can't guess the box is fbsd because I have tcp > extensions turned off on it. > Did the same thing, portupgrade -f nmap, and then ran it with the same flags, and I'm still getting the same problem. It's doing this on all 3 of my FreeBSD-CURRENT machines as well. Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: 2 ports broken after gcc import
Kenneth Culver <[EMAIL PROTECTED]> wrote: Is anyone else seeing these problems? Is anyone working > on fixes? > > Ken I just ran portupgrade -f nmap on this box: [EMAIL PROTECTED] root]# uname -a FreeBSD tao.xtaz.co.uk 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Sun Aug 24 13:35:21 BST 2003 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TAO i386 [EMAIL PROTECTED] root]# gcc -v Using built-in specs. Configured with: FreeBSD/i386 system compiler Thread model: posix gcc version 3.3.1 [FreeBSD] [EMAIL PROTECTED] root]# nmap -sS -O 192.168.1.10 Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-29 19:21 BST Interesting ports on neo.xtaz.co.uk (192.168.1.10): (The 1636 ports scanned but not shown below are in state: closed) Port State Service 21/tcp openftp 22/tcp openssh 23/tcp opentelnet 111/tcpopensunrpc 113/tcpopenauth 1023/tcp opennetvenuechat 2049/tcp opennfs 6000/tcp openX11 Device type: general purpose Running (JUST GUESSING) : FreeBSD 5.X|4.X|2.X|3.X (97%), Amiga AmigaOS (92%), IBM AIX 5.X (90%), Apple Mac OS X 10.1.X (90%), Novell Netware 3.X|4.X|5.X (89%) Aggressive OS guesses: FreeBSD 5.0-RELEASE (97%), FreeBSD 4.3 - 4.4-RELEASE (93%), FreeBSD 4.7-RELEASE (X86) (93%), FreeBSD 5.1-CURRENT (June 2003) on Sparc64 (93%), AmigaOS Miami Deluxe 0.9 - Miami 3.2B (92%), AmigaOS 3.5/3.9 running Miami Deluxe 1.0c (92%), FreeBSD 2.2.1 - 4.1 (92%), FreeBSD 4.4-STABLE (92%), FreeBSD 4.7-STABLE (92%), IBM AIX 5.1 (90%) No exact OS matches for host (test conditions non-ideal). Nmap run completed -- 1 IP address (1 host up) scanned in 31.448 seconds Seems ok to me? Incidently it probably can't guess the box is fbsd because I have tcp extensions turned off on it. -- email: [EMAIL PROTECTED] - web: http://xtaz.co.uk/ Hardware, n.: The parts of a computer system that can be kicked. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
2 ports broken after gcc import
Hi, Since this is related to both -current and to ports I crossposted to both. Basically (I've asked this question before, with no answer), several network-related apps broke after the last gcc import. nmap no longer works: kaoru:~:# nmap -sS -O 66.92.171.91 Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-29 14:13 EDT sendto in send_tcp_raw: sendto(3, packet, 40, 0, 66.92.171.91, 16) => No route to host I know there is a route to that ip because I'm connected to it from my current machine right now. This behavior started after the import. Also, with smbclient: kaoru:~:# smbclient -L iscprt added interface ip=192.168.0.27 bcast=192.168.0.255 nmask=255.255.255.0 added interface ip=127.0.0.2 bcast=127.255.255.255 nmask=255.0.0.0 Packet send failed to 127.255.255.255(137) ERRNO=Can't assign requested address Connection to iscprt failed This also only started after the import. (or maybe there was another commit that day that caused this problem, I don't know). Anyway, the nmap problem is a big one since I have to scan several machines in my network with nessus, which relies on nmap to work, and I need smbclient/smbspool to print through cups to printers on the local windows network. Is anyone else seeing these problems? Is anyone working on fixes? Ken ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"