add 6,2 0
ignored: 6,2 0
ipfw: Adding record failed: Invalid argument
Hi,
this is due to implementation. Internally a flow table depends from
address family and thus you need to specify an address.
--
WBR, Andrey V. Elsukov
this commit caused your problem https://reviews.freebsd.org/D32663
--
WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
deprecated addresses from an
interface.
Then NPTv6 module will use first global prefix on the interface.
--
WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
ut for layer3 IP matching, not for layer2 MAC matching.
We have a patch that adds ability to keep MAC addresses in the tables. I
hope we will push it into upstreem soon.
--
WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
SD's ipfw, than doing porting ipfw from DragonFly. But you can try :)
--
WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
red behavior?
Hi,
it seems you need to take alook at the 'lookup dst-port tablename' opcode.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
I included.
Hi,
I think for 3 interfaces you will not see some noticeable difference,
but when number of interfaces in the table will grow to tens or
hundreds, it will work much better than the plain list of the rules.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 26.11.2019 11:31, Marco van Tol wrote:
> Did you find the time to look further into this?
> If not I understand, no problem.
>
> Let me know if there's anything I can do to help.
Hi,
I'm sorry for the delay, I'll try to finish the patch at this weekend :)
--
WBR, Andre
rt to be coming from the router IP on
> the first hop?
>
> Thank you very much in advance!
Hi,
I think I know where is the problem, I'll try to make the patch at the
weekend.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
e internal
network, and use NPTv6 with "ext_if external_ifname" option. It will
automatically use configured on the external interface prefix.
This feature is available in stable/12+.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
with such prefix.
> Are you saying NPTv6 cannot rewrite a LL prefix to a public prefix, such
> as the one held on the external interface?
Yes. Link-local address must belong to the single "link",
IPv6 scoped addresses architecture doesn't allow forward packets with
link-local
ateful. Thanks.
NPTv6 module is targeted to translate routed traffic. IPv6 link-local
addresses are not forward-able. Thus you can not configure nptv6
instance with such prefix.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ut the next rule for
states that don't stop packet processing is the last rule. This is
probably will not fit your requirements.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
firewall_logif is set in rc.conf
Hi,
for what purpose do you use ipfw0? Running tcpdump and logger looks very
ugly.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
d be required to make dummynet work with PF? Currently,
> dummynet depends on IPFW, so I guess decoupling is one of the tasks?
Hi,
I think it doesn't really depend from ipfw, you can just remove this
dependency from ip_dummynet.c.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
/sbin/ipfw all install
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ate->proto = IPPROTO_IPV6;
>}
>
>static int
>
>
> unfortunately, ipfw -N show still doesn't print the protocols:
>
> 00800 0 0 allow tcp from any to x.x.x.x 443 in recv bce0
>
Did you reinstall the patched version of ipfw(8)?
# ipfw add count tcp from any to ya.ru 443 out xmit lagg0
00100 count tcp from any to 87.250.250.242 443 out xmit lagg0
# ipfw -N show 100
00100 0 0 count tcp from any to ya.ru https out xmit lagg0
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ly some of latest patches from this commit log to your
source code and then test.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
only in head/ yet.
>
> Would be nice! I’m on 12-STABLE.
Hi,
I published the patch:
https://reviews.freebsd.org/D17765
For stable/12 you need to apply patch from r339537:
https://reviews.freebsd.org/D17100
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
t; the external IPv4 address)
Hi,
I think I can add this feature to ipfw_nptv6 module, but I need some
spare time to implement it. If you are interested, I'll send the patch
to you later. What version do you use? I suspect the patch will use some
features, that are present only in head/
"keep-state" or "limit" opcodes),
this means that new rules will initiate the search in dynamic states,
and for existing connection the state will be updated and because of
this, the connection is still work.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
want to test some patches, you can try :)
I tried to apply the patch and observed that stable/11 has a small
difference in UMA code, so you need to use this patch:
https://people.freebsd.org/~ae/keep_states11.diff
Again, I did not yet teseted it widely, and on stable/11 did not tested
at all
ke it working.
I plan to reimplement this feature to be more useful and work with any
rules, and not only with "allow" rules.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
s not sent out,but
> dropped on the ipfw by the last deny rule). Seems like the packet
how do you test this?
> sent by sendmail doesn't belong to snmmsp group. I have tried gid
> operator gid mail gid smmsp gid wheel - won't help. How to debug?
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
(len <= MJUM9BYTES)
mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES);
else if (len <= MJUM16BYTES)
mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES);
else
goto bad;
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
reater than 4k, ipfw_nat()
function will drop this packet.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
22 in recv em0 not proto ip6
ipfw add 1 allow ip6 from any to me 22 in recv em0 proto tcp
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
in 11.2-STABLE and 12.0-RELEASE.
I'm sorry about that.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
t submit PR or patch, if you don't like
some. Due to huge difference between old tables and what we have now, it
is not always possible for one man to test all old features and properly
merge them with new features.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ermine the value that will be enough for this host. For example, set
it to 250, 200, 150, 100.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
should be fixed in freebsd11-stable.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224555
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
n, now for outbound
direction. And it can be matched by "out" and "xmit ed1" opcodes. The
opcode "recv ed0" still can be matched too, but "in" opcode will not
matched.
A packet destined for local host is consumed by local IP stack and will
not forwarded.
ses, but they are associated with the commands -- this is trivially
> reproducible (for me, anyway).
It would be nice if you created PR where you described steps to
reproduce this. Your kernel/modules config, commands you used to get
this result.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>
You need to disable TSO on your interface, ipfw nat is not compatible
with TCP segmentation offloading (this is noted in ipfw(8) BUGS section).
Try to use:
ifconfig igb1 -vlanhwtso -tso4
You can add these option to "ifconfig_igb1" variabl
On 31.08.2017 13:01, Andrey V. Elsukov wrote:
>> Does anybody please have any ideas on this, please?
>
> Can you show the output of `ifconfig igb1 | grep flags` on stable/10 and
> stable/11?
Sorry, I wanted to write `ifconfig igb1 | grep options`.
--
WBR, Andrey V. Elsukov
X:
> nat 1 ip4 from any to any via igb1
>
> I can provide the full set of rules if needed, but I think only those
> two lines are relevant.
>
> Does anybody please have any ideas on this, please?
Can you show the output of `ifconfig igb1 | grep flags` on stab
p from any to any // Allowed local services
> - common block
>
> So, yes, comment is lost!
It looks it never worked due to "goto done" in the code.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 14.08.16 15:04, Lev Serebryakov wrote:
> Hello Ae,
>
> Looks like you didn't add names support for states with limits? Why?
For me it looks like I did that. Why would you think differently? :)
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
eated this
rule :)
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
similar, that
was described by Lev.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 03.08.16 22:07, Lev Serebryakov wrote:
> On 03.08.2016 21:03, Andrey V. Elsukov wrote:
>
>>> 1/ ability to use keep-state without an implicit check-state. <--- most
>>> important for me. (store-state)?
>>> 2/ ability to keep-state without actually doin
ablearg skipto is very inefficient. It's also a hard thing to set up
> with a set of rules for each country (how many countries are there in
> the internet allocation system?).
You can build ipfw with enabled LINEAR_SKIPTO and use the same rules for
most countries.
--
WBR, Andrey V. Elsukov
signat
c tables will be created
automatically (with warning).
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
emoved)
>
> unreach6 address16005 80 5574 ip6 from any to 2001:4de0:ac10::1:1:14
I think it should be fixed after r297981.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
Hi,
this is known issue.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209466
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=162558
It looks the same, but for IPv6.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
s://reviews.freebsd.org/D6674
Also I reworked Lev's patch on top of my patch and made it simpler:
https://reviews.freebsd.org/D1776#143557
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
iggers
this opcode. So, you introduced new implicit behavior while thinking
that resolve old wrong behavior.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
understand - beyond descriptions in
> the abstract case; ie an actual working dual- or multi-flow example.
>
> I know these are "just doc" issues of little importance while testing
> working code, and I haven't supplied any patches, so are just FWIW ..
Will try to implement support for limit rules and update man. Thanks.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ld be branched.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
deferred action looks
too hackish to me.
With the following patch you will be able create two different states, I
think, and solve your task with NAT and dynamic rules:
https://reviews.freebsd.org/D6674
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 30.05.16 07:56, Julian Elischer wrote:
> On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote:
>> Hi All,
>>
>> We have the patch that adds named states support to ipfw.
>
> like it and have wished for this for along time
> this allows per-interface state. Can stat
isting
rulesets. Probably, we can add some mandatory prefix to state name, e.g.
':'.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
oo.
Hi,
we have implemented IPv6 NPT (RFC 6296) and basic NAT64 (stateless and
statefull) for ipfw. Currently we are preparing to commit them into
FreeBSD head/. I hope I'll do this in several weeks before 11.0 freeze.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
age.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
it looks like proxy_rule was forgotten when it was ported.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
, you need to modify ip_fw_sockopt.c:check_ipfw_rule_body()
function.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
?
Both :) Hit this bug several years ago, seems it is still here
AFAIR, I made the patch for such PR, but nobody wanted to test it :)
https://people.freebsd.org/~ae/ipfw_ip6reass.diff
Probably now I can test it myself a bit later.
--
WBR, Andrey V. Elsukov
signature.asc
Description
before running rc.d scripts at
boot time, and enables it again in rc.d/ipfw script.
Hi,
I think this should be configurable, the change can be an unexpected for
someone.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http
) functions to
interact with kernel. In particular, do_cmd() function from ipfw2.c does it.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd
, which I'd like to
use for responses to connections coming on on vtnet1. Under 9.2, the
below worked fine:
Hi,
you can apply this patch:
http://svnweb.freebsd.org/base?view=revisionrevision=260702
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org
On 06.02.2014 12:31, Andrey V. Elsukov wrote:
On 06.02.2014 04:08, John Nielsen wrote:
I have been using IPFW FWD to do per-interface routing on a VM
instance. The default gateway is on interface vtnet0, but there is a
second interface, vtnet1, on a different network with its own public
IP
/pfil_forward.diff
Also we have done some tests with the ixia traffic generator connected
via 10G network adapter. Tests have show that there is no visible
difference, and there is no visible performance degradation.
Any objections?
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP
is undesirable, because we can have
kernel without ipfw. So, i decided to choose pfil, because it could not
work without pfil.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
:/usr/obj/usr/src/sys/GENERIC amd64
Hi,
Can you try update your 9.0-STABLE and test it again?
There were some changes related to tables.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd
On 25.10.2011 17:19, Серега Гончаров wrote:
Hi all. Is there some plans to make ipfw can change ip header fields of
going throught packets, like TTL, DF flag etc. pf and iptables can, so maybe
in freebsd 9 it will be implemented? thanks.
You can use ng_patch(4) for that.
--
WBR, Andrey V
On 03.08.2011 14:28, timp wrote:
Do you know solution (for GENERIC kernel) that can port forwarding? I found
/usr/ports/net/rinetd
You can use pf(4).
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org
does not work when ipfw loaded as module.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
The following reply was made to PR kern/131817; it has been noted by GNATS.
From: Andrey V. Elsukov a...@freebsd.org
To: bug-follo...@freebsd.org, eu...@grosbein.pp.ru
Cc:
Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be
blocked
Date: Fri, 01 Jul 2011 12:56:14 +0400
The following reply was made to PR kern/157379; it has been noted by GNATS.
From: Andrey V. Elsukov a...@freebsd.org
To: bug-follo...@freebsd.org, kes-...@yandex.ru
Cc:
Subject: Re: kern/157379: [ipfw] mtr does not work if I use ipfw nat
Date: Mon, 06 Jun 2011 09:51:09 +0400
Hi,
Can you
The following reply was made to PR kern/148157; it has been noted by GNATS.
From: Andrey V. Elsukov a...@freebsd.org
To: bug-follo...@freebsd.org, poo...@hotmail.com,
Vladislav Yershov vyers...@umc.com.ua
Cc:
Subject: Re: kern/148157: [ipfw] IPFW in kernel nat BUG found in FreeBSD
8.1
The following reply was made to PR kern/150798; it has been noted by GNATS.
From: Andrey V. Elsukov a...@freebsd.org
To: bug-follo...@freebsd.org, a...@holymail.biz
Cc:
Subject: Re: kern/150798: [ipfw] ipfw2 fwd rule matches packets but does not
do the job in fact.
Date: Mon, 30 May 2011 15:37
The following reply was made to PR kern/147720; it has been noted by GNATS.
From: Andrey V. Elsukov a...@freebsd.org
To: bug-follo...@freebsd.org, dima_...@inbox.lv
Cc:
Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd
Date: Mon, 30 May 2011 15:37:52 +0400
Hi,
Can you test
The following reply was made to PR kern/147720; it has been noted by GNATS.
From: Andrey V. Elsukov bu7c...@yandex.ru
To: bug-follo...@freebsd.org, dima_...@inbox.lv
Cc:
Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd
Date: Sun, 29 May 2011 14:41:03 +0400
This is an OpenPGP/MIME
The following reply was made to PR bin/156653; it has been noted by GNATS.
From: Andrey V. Elsukov bu7c...@yandex.ru
To: bug-follo...@freebsd.org, jcl...@speakeasy.net
Cc:
Subject: Re: bin/156653: ipfw(8) reports missing file as parameter problem
Date: Mon, 02 May 2011 15:59:16 +0400
Hi
The following reply was made to PR kern/144869; it has been noted by GNATS.
From: Andrey V. Elsukov a...@freebsd.org
To: Ildar Hizbulin hi...@vyborg.ru
Cc: bug-follo...@freebsd.org, freebsd-ipfw@freebsd.org
Subject: Re: kern/144869: [ipfw] [panic] Instant kernel panic when adding
NAT rules using
it was merged to stable/8
with r211241.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
sets
enabled,
because IP_FW_GET command gets small buffer and after calculating wanted size
it returns back without copying anything.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd
Paolo Pisati wrote:
add packet counter as well. That's all possible with one opcode,
though...
if anyone post an updated patch, i'll commit it.
Hi, Paolo.
Any progress in this?
I updated patch:
http://butcher.heavennet.ru/patches/kernel/ipfw/ipfw_counterlimit.diff
--
WBR, Andrey V
rihad wrote:
ipfw add pipe tablearg ip from 'table(0)' to 'table(1)'
Which of the two tables will tablearg come from?
Last 'table' argument will be used for tablearg.
Any way to make the choice explicit?
Patches are welcome =)
--
WBR, Andrey V. Elsukov
-allocated, or
is it a static memory buffer?
Each dynamic rule allocated dynamically. Be careful, too many dynamic
rules will work very slow.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo
which may return a false positive,
bloomier filters are a refinement which tries to limit the false
positives.
There were some ideas from Vadim Goncharov about rewriting dynamic
rules implementation..
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw
, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
list
# ifpw -n nat 1 show
and probably others command which didn't use `test_only` flag.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL
?
--
WBR, Andrey V. Elsukov
Index: src/sbin/ipfw/ipfw2.c
===
RCS file: /ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.118
diff -u -p -r1.118 ipfw2.c
--- src/sbin/ipfw/ipfw2.c 27 Feb 2008 13:52:33 - 1.118
+++ src/sbin
as extension
to current O_LIMIT opcode or something similar.
Also i have question about my current implementation. Does it
needed to have ability of humanized printing of limits, which
was implemented before?
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw
IP addresses (currently I'm overlaying it on 32 bit ints)
IPV6 addresses.
skipto locations
byte limits..
Yes, i agree. As I remember, we already talked about this
some time ago.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http
://www.freebsd.org/cgi/query-pr.cgi?pr=kern/103454
I added to CC several men who are active in ipfw area.
It will be interested what you think about this?
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo
or by the kernel itself. I _could_ work around the issue
by piping the ipfw: messages to /dev/null in syslogd, but there might
be a cleaner solution?
If you don't use `ipfw log ...` rules you can reset sysctl variable
net.inet.ip.fw.verbose to 0 and these messages will not be logged.
--
WBR, Andrey V
)
will be good.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
is not related to the ipfw. But you can try this patch:
http://people.yandex-team.ru/~sem/FreeBSD/kernel/log_mutex.diff
Please, report back if it will help you.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman
Hi,
I got a trace for this fault.
dummynet reinject packet to the ip_input through netisr_dispath.
This procedure was done success several times, but in the next time
it's fault.
(kgdb) p ipfw_chk
$1 = (int (*)(struct ip_fw_args *)) 0xc3374ea0 ipfw_chk
(kgdb) l *(0xc3374ea0+0x16)
0xc3374eb6 is
?
There is no way to discover this information. Maybe, you can parse
some specific protocols that contain a MAC addresses within packets.
But this is hard and don't give a 100% results.
The right way, IMHO, is an VPN-connections between Wireless clients and
FreeBSD server.
--
WBR, Andrey V
The following reply was made to PR bin/115372; it has been noted by GNATS.
From: Andrey V. Elsukov [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc: Maxim Konovalov [EMAIL PROTECTED],
Oleg Bulyzhin [EMAIL PROTECTED]
Subject: Re: bin/115372: [ipfw]: ipfw show prints ill result
.
The number 65535 is reserved for the tablearg.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to [EMAIL PROTECTED]
for implement a delete rules by template
(text of rule), like a cisco-way (no some command).
What you think about that?
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
The following reply was made to PR kern/112708; it has been noted by GNATS.
From: Andrey V. Elsukov [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc:
Subject: Re: kern/112708: ipfw is seems to be broken to limit number of
connections
Date: Thu, 17 May 2007 16:42:16 +0400
Hi
Jim Sifferle wrote:
Am I missing some intermediate steps? Thanks for any help...
You can try to make with DEBUG_FLAGS=-I/usr/src/sys or replace header
/usr/include/netinet/ip_fw.h with patched /usr/src/sys/netinet/ip_fw.h
--
WBR, Andrey V. Elsukov
Julian Elischer wrote:
This was fixed in 6.[later] (6.2 at least, maybe 6.1)
(The need for the EXTENDED option)
Yes, i know. I think this PR can be closed.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org
The following reply was made to PR kern/107305; it has been noted by GNATS.
From: Andrey V. Elsukov [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc:
Subject: Re: kern/107305: [ipfw] ipfw fwd doesn't seem to work
Date: Fri, 27 Apr 2007 08:46:09 +0400
Hi,
IP Address
fix for this:
http://butcher.heavennet.ru/patches/other/ipfw_mac_fix/ipfw2.c.diff
My tests don't show other break, what you think about this patch?
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman
1 - 100 of 112 matches
Mail list logo
