again. While 'ipfw fwd' could be used for transparent
proxy, too, there are two completely different applications of this - one
for local socket and another for policy routing. The latter, more proper be
called 'route-to', is used far more often than the former.
--
WBR, Vadim Goncharov. ICQ
The following reply was made to PR kern/147720; it has been noted by GNATS.
From: Vadim Goncharov vadim_nucli...@mail.ru
To: skele...@lissyara.su skele...@lissyara.su
Cc: bug-follo...@freebsd.org
Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd
Date: Tue, 12 Jul 2011 22:45:47 +0700
deny all from table(20) in recv em1
...
add 5000 deny log all from any to any not antispoof
add 5010 deny tcp from any to any 135,139,445
add 5020 deny udp from any to any 137,138
add 5030 allow tcp from any to any established
...
add 5999 return // end of common block
--
WBR, Vadim Goncharov. ICQ
time to grok rulesets).
Also, it is questionable whether this patch will stay correct in the future
when dynamic rules will be changed, and/or new opcodes (depending on packet
direction) are added. We should keep in mind this place for such future
changes now.
--
WBR, Vadim Goncharov. ICQ
for cache misses/flushes will be much
smaller too.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
___
freebsd-ipfw@freebsd.org mailing list
http
them. For example, your O_IPTOSPRE is redundant because we already
have O_IPPRECEDENCE which compiler could utilize while retainig more ABI
compatibility.
I can correct and extend your patch for DSCP/TTL/any bytes (not forgetting
credits, of course), if you're too busy...
--
WBR, Vadim Goncharov
degree, I'll ma=
ke.
OK, I'll take it.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org
option to print humanized
values not only in this option, but several others too. Just like hostnames,
IP addresses in tableargs, etc.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight
recall what else you've discussed? :)
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org
with syntax. But what about TTL?..
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org
TOS flags and
hex DSCP values? Is it enugh 16-bit arg1 for these in ipfw_insn?..
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]
___
freebsd-ipfw
modip tos flashover ip from any to any
My problem I believe are in fill_cmd().
Somebody can help me with this problem?
I think problem is in ac--; av++ count times, not in fill_cmd() which is
only instruction setter, not parser.
--
WBR, Vadim Goncharov
available in all archs? and are memory
barriers enough?
Oh, just another pitfall of non-clean ipfw/ipfw nat modules separation and
layer3_chain. I knew that there are must be another ones :-)
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD
to you..
do
man 9 style
Of course I did before. It doesn't permit ``//''-style comments, all examples
are given in (C, not C++) style of /* ... */.
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight
configured
via ipfw(8). As it is HEAD, ABI can be broken and this will not be done via
ipfw_ctl().
Anyway, i'll fix a couple of nits and commit as it is.
Why not to fix more?..
--
WBR, Vadim Goncharov. ICQ#166852181 mailto:[EMAIL PROTECTED]
[Moderator of RU.ANTI-ECOLOGY][FreeBSD][http
The following reply was made to PR bin/120720; it has been noted by GNATS.
From: Vadim Goncharov [EMAIL PROTECTED]
To: Eugene Grosbein [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED], freebsd-ipfw@freebsd.org
Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list
Date: Mon, 18 Feb 2008
, Vadim Goncharov
ipfwpcap.patch
Description: Binary data
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
be another commit, as not a user-visible
change.
--
WBR, Vadim Goncharov
ipfwpcap.patch
Description: Binary data
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL
listening on the divert socket and
echoing packets back. It can be ng_ksocket + ng_echo, try to experiment
with them. Or use pf scrub instead of ipfw.
--
WBR, Vadim Goncharov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman
that interrupt thread's stack in the kernel is too small for this
case. Quick-n-dirty hackish solution could be increasing stack size, but
that could be overriden by another bunch of rules. Alas, I am not a
VM/netisr guru to find the right way...
--
WBR, Vadim Goncharov
will be 1 Mbit, SUMMARY. And if you send A to B traffic into 512
Kbit pipe and B to A traffic into 128 Kbit pipe, than you'll get exactly
this speed, in specified directions, respectively.
--
WBR, Vadim Goncharov
___
freebsd-ipfw@freebsd.org mailing list
into pipe without in or out options, speed
will be half of that specified in a pipe.
--
WBR, Vadim Goncharov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
to go through
your machine, not reaching rule 02420, which is next in the list.
--
WBR, Vadim Goncharov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
. That's nothing
interesting in ruleset without real addresses, IMHO. Without ruleset it's
possible to give only the most general advices, like remembering packet
flow (always in and out, two passes), check-state, rule ordering, and so
on.
--
WBR, Vadim Goncharov
need specialized protocol
analyzer. For example, in your case with only IPs - can you say when
dynamic rule will expire?
--
WBR, Vadim Goncharov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
to only one pipe, but for
# my example it's enough
ipfw add 600 pipe 40 ip from any to any tagged 412
--
WBR, Vadim Goncharov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail
that it
works.
--
WBR, Vadim Goncharov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
+network subsytem using
+.Xr mbuf_tags 9
+facility.
.It Cm tcpack Ar ack
TCP packets only.
Match if the TCP header acknowledgment number field is set to
--
WBR, Vadim Goncharov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org
28 matches
Mail list logo