Re: kern/144269: [ipfw] problem with ipfw tables
Synopsis: [ipfw] problem with ipfw tables State-Changed-From-To: open-feedback State-Changed-By: ae State-Changed-When: Thu Jul 7 08:53:52 UTC 2011 State-Changed-Why: Can you reproduce this on 8.x+ releases? http://www.freebsd.org/cgi/query-pr.cgi?pr=144269 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/143474: [ipfw] ipfw table contains the same address
Synopsis: [ipfw] ipfw table contains the same address State-Changed-From-To: open-feedback State-Changed-By: ae State-Changed-When: Thu Jul 7 08:54:21 UTC 2011 State-Changed-Why: Can you reproduce this on 8.x+ releases? http://www.freebsd.org/cgi/query-pr.cgi?pr=143474 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/122109: commit references a PR
The following reply was made to PR kern/122109; it has been noted by GNATS.
From: dfil...@freebsd.org (dfilter service)
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/122109: commit references a PR
Date: Thu, 7 Jul 2011 09:29:25 + (UTC)
Author: ae
Date: Thu Jul 7 09:29:11 2011
New Revision: 223835
URL: http://svn.freebsd.org/changeset/base/223835
Log:
MFC r222806:
Make a behaviour of the libalias based in-kernel NAT a bit closer to
how natd(8) does work. natd(8) drops packets only when libalias returns
PKT_ALIAS_IGNORED and deny_incoming option is set, but ipfw_nat
always did drop packets that were not aliased, even if they should
not be aliased and just are going through.
PR:kern/122109, kern/129093, kern/157379
Submitted by: Alexander V. Chernikov (previous version)
Modified:
stable/8/sys/netinet/ipfw/ip_fw_nat.c
Directory Properties:
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
Modified: stable/8/sys/netinet/ipfw/ip_fw_nat.c
==
--- stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 08:33:58 2011
(r223834)
+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 09:29:11 2011
(r223835)
@@ -263,17 +263,27 @@ ipfw_nat(struct ip_fw_args *args, struct
else
retval = LibAliasOut(t-lib, c,
mcl-m_len + M_TRAILINGSPACE(mcl));
- if (retval == PKT_ALIAS_RESPOND) {
- m-m_flags |= M_SKIP_FIREWALL;
- retval = PKT_ALIAS_OK;
- }
- if (retval != PKT_ALIAS_OK
- retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+ /*
+ * We drop packet when:
+ * 1. libalias returns PKT_ALIAS_ERROR;
+ * 2. For incoming packets:
+ * a) for unresolved fragments;
+ * b) libalias returns PKT_ALIAS_IGNORED and
+ * PKT_ALIAS_DENY_INCOMING flag is set.
+ */
+ if (retval == PKT_ALIAS_ERROR ||
+ (args-oif == NULL (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+ (retval == PKT_ALIAS_IGNORED
+ (t-lib-packetAliasMode PKT_ALIAS_DENY_INCOMING) != 0 {
/* XXX - should i add some logging? */
m_free(mcl);
args-m = NULL;
return (IP_FW_DENY);
}
+
+ if (retval == PKT_ALIAS_RESPOND)
+ m-m_flags |= M_SKIP_FIREWALL;
mcl-m_pkthdr.len = mcl-m_len = ntohs(ip-ip_len);
/*
___
svn-src-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/129093: commit references a PR
The following reply was made to PR kern/129093; it has been noted by GNATS.
From: dfil...@freebsd.org (dfilter service)
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/129093: commit references a PR
Date: Thu, 7 Jul 2011 09:29:25 + (UTC)
Author: ae
Date: Thu Jul 7 09:29:11 2011
New Revision: 223835
URL: http://svn.freebsd.org/changeset/base/223835
Log:
MFC r222806:
Make a behaviour of the libalias based in-kernel NAT a bit closer to
how natd(8) does work. natd(8) drops packets only when libalias returns
PKT_ALIAS_IGNORED and deny_incoming option is set, but ipfw_nat
always did drop packets that were not aliased, even if they should
not be aliased and just are going through.
PR:kern/122109, kern/129093, kern/157379
Submitted by: Alexander V. Chernikov (previous version)
Modified:
stable/8/sys/netinet/ipfw/ip_fw_nat.c
Directory Properties:
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
Modified: stable/8/sys/netinet/ipfw/ip_fw_nat.c
==
--- stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 08:33:58 2011
(r223834)
+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 09:29:11 2011
(r223835)
@@ -263,17 +263,27 @@ ipfw_nat(struct ip_fw_args *args, struct
else
retval = LibAliasOut(t-lib, c,
mcl-m_len + M_TRAILINGSPACE(mcl));
- if (retval == PKT_ALIAS_RESPOND) {
- m-m_flags |= M_SKIP_FIREWALL;
- retval = PKT_ALIAS_OK;
- }
- if (retval != PKT_ALIAS_OK
- retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+ /*
+ * We drop packet when:
+ * 1. libalias returns PKT_ALIAS_ERROR;
+ * 2. For incoming packets:
+ * a) for unresolved fragments;
+ * b) libalias returns PKT_ALIAS_IGNORED and
+ * PKT_ALIAS_DENY_INCOMING flag is set.
+ */
+ if (retval == PKT_ALIAS_ERROR ||
+ (args-oif == NULL (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+ (retval == PKT_ALIAS_IGNORED
+ (t-lib-packetAliasMode PKT_ALIAS_DENY_INCOMING) != 0 {
/* XXX - should i add some logging? */
m_free(mcl);
args-m = NULL;
return (IP_FW_DENY);
}
+
+ if (retval == PKT_ALIAS_RESPOND)
+ m-m_flags |= M_SKIP_FIREWALL;
mcl-m_pkthdr.len = mcl-m_len = ntohs(ip-ip_len);
/*
___
svn-src-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/157379: commit references a PR
The following reply was made to PR kern/157379; it has been noted by GNATS.
From: dfil...@freebsd.org (dfilter service)
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/157379: commit references a PR
Date: Thu, 7 Jul 2011 09:29:26 + (UTC)
Author: ae
Date: Thu Jul 7 09:29:11 2011
New Revision: 223835
URL: http://svn.freebsd.org/changeset/base/223835
Log:
MFC r222806:
Make a behaviour of the libalias based in-kernel NAT a bit closer to
how natd(8) does work. natd(8) drops packets only when libalias returns
PKT_ALIAS_IGNORED and deny_incoming option is set, but ipfw_nat
always did drop packets that were not aliased, even if they should
not be aliased and just are going through.
PR:kern/122109, kern/129093, kern/157379
Submitted by: Alexander V. Chernikov (previous version)
Modified:
stable/8/sys/netinet/ipfw/ip_fw_nat.c
Directory Properties:
stable/8/sys/ (props changed)
stable/8/sys/amd64/include/xen/ (props changed)
stable/8/sys/cddl/contrib/opensolaris/ (props changed)
stable/8/sys/contrib/dev/acpica/ (props changed)
stable/8/sys/contrib/pf/ (props changed)
Modified: stable/8/sys/netinet/ipfw/ip_fw_nat.c
==
--- stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 08:33:58 2011
(r223834)
+++ stable/8/sys/netinet/ipfw/ip_fw_nat.c Thu Jul 7 09:29:11 2011
(r223835)
@@ -263,17 +263,27 @@ ipfw_nat(struct ip_fw_args *args, struct
else
retval = LibAliasOut(t-lib, c,
mcl-m_len + M_TRAILINGSPACE(mcl));
- if (retval == PKT_ALIAS_RESPOND) {
- m-m_flags |= M_SKIP_FIREWALL;
- retval = PKT_ALIAS_OK;
- }
- if (retval != PKT_ALIAS_OK
- retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+
+ /*
+ * We drop packet when:
+ * 1. libalias returns PKT_ALIAS_ERROR;
+ * 2. For incoming packets:
+ * a) for unresolved fragments;
+ * b) libalias returns PKT_ALIAS_IGNORED and
+ * PKT_ALIAS_DENY_INCOMING flag is set.
+ */
+ if (retval == PKT_ALIAS_ERROR ||
+ (args-oif == NULL (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+ (retval == PKT_ALIAS_IGNORED
+ (t-lib-packetAliasMode PKT_ALIAS_DENY_INCOMING) != 0 {
/* XXX - should i add some logging? */
m_free(mcl);
args-m = NULL;
return (IP_FW_DENY);
}
+
+ if (retval == PKT_ALIAS_RESPOND)
+ m-m_flags |= M_SKIP_FIREWALL;
mcl-m_pkthdr.len = mcl-m_len = ntohs(ip-ip_len);
/*
___
svn-src-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/122109: [ipfw] ipfw nat traceroute problem
Synopsis: [ipfw] ipfw nat traceroute problem State-Changed-From-To: patched-closed State-Changed-By: ae State-Changed-When: Thu Jul 7 09:42:47 UTC 2011 State-Changed-Why: Merged to stable/7 and stable/8. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=122109 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/129093: [ipfw] ipfw nat must not drop packets
Synopsis: [ipfw] ipfw nat must not drop packets State-Changed-From-To: patched-closed State-Changed-By: ae State-Changed-When: Thu Jul 7 09:43:23 UTC 2011 State-Changed-Why: Merged to stable/7 and stable/8. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=129093 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: kern/129093: commit references a PR
The following reply was made to PR kern/129093; it has been noted by GNATS.
From: dfil...@freebsd.org (dfilter service)
To: bug-follo...@freebsd.org
Cc:
Subject: Re: kern/129093: commit references a PR
Date: Thu, 7 Jul 2011 09:42:50 + (UTC)
Author: ae
Date: Thu Jul 7 09:42:32 2011
New Revision: 223837
URL: http://svn.freebsd.org/changeset/base/223837
Log:
MFC r222806:
Make a behaviour of the libalias based in-kernel NAT a bit closer to
how natd(8) does work. natd(8) drops packets only when libalias returns
PKT_ALIAS_IGNORED and deny_incoming option is set, but ipfw_nat
always did drop packets that were not aliased, even if they should
not be aliased and just are going through.
PR:kern/122109, kern/129093, kern/157379
Submitted by: Alexander V. Chernikov (previous version)
Modified:
stable/7/sys/netinet/ip_fw_nat.c
Directory Properties:
stable/7/sys/ (props changed)
stable/7/sys/cddl/contrib/opensolaris/ (props changed)
stable/7/sys/contrib/dev/acpica/ (props changed)
stable/7/sys/contrib/pf/ (props changed)
Modified: stable/7/sys/netinet/ip_fw_nat.c
==
--- stable/7/sys/netinet/ip_fw_nat.c Thu Jul 7 09:32:43 2011
(r223836)
+++ stable/7/sys/netinet/ip_fw_nat.c Thu Jul 7 09:42:32 2011
(r223837)
@@ -322,8 +322,18 @@ ipfw_nat(struct ip_fw_args *args, struct
else
retval = LibAliasOut(t-lib, c,
mcl-m_len + M_TRAILINGSPACE(mcl));
- if (retval != PKT_ALIAS_OK
- retval != PKT_ALIAS_FOUND_HEADER_FRAGMENT) {
+ /*
+ * We drop packet when:
+ * 1. libalias returns PKT_ALIAS_ERROR;
+ * 2. For incoming packets:
+ * a) for unresolved fragments;
+ * b) libalias returns PKT_ALIAS_IGNORED and
+ * PKT_ALIAS_DENY_INCOMING flag is set.
+ */
+ if (retval == PKT_ALIAS_ERROR ||
+ (args-oif == NULL (retval == PKT_ALIAS_UNRESOLVED_FRAGMENT ||
+ (retval == PKT_ALIAS_IGNORED
+ (t-lib-packetAliasMode PKT_ALIAS_DENY_INCOMING) != 0 {
/* XXX - should i add some logging? */
m_free(mcl);
badnat:
___
svn-src-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
