Re: kern/80642: [patch] IPFW small patch - new RULE OPTION

2005-06-17 Thread Andrey V. Elsukov
The following reply was made to PR kern/80642; it has been noted by GNATS. From: Andrey V. Elsukov [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: kern/80642: [patch] IPFW small patch - new RULE OPTION Date: Fri, 17 Jun 2005 14:31:20 +0400 This is a multi-part

Re: ipfw+altq

2005-09-05 Thread Andrey V. Elsukov
not supported. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

nonprivileged access to ipfw

2005-09-28 Thread Andrey V. Elsukov
:( -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: nonprivileged access to ipfw

2005-10-03 Thread Andrey V. Elsukov
Andrey V. Elsukov wrote: I want a nonprivileged access to ipfw (without sudo, suid and etc..). But RAW sockets restrict this. I have an one idea - a pseudo device /dev/ipfw. I think that realisation of this feature is not difficult task. Now i have some questions. Thanks for more answers :) I

Re: Dynamically adding ipfw natd rule

2005-10-18 Thread Andrey V. Elsukov
Alessandro Parrinello wrote: Hi, i need to change the natting rules of natd by a c program dynamically based on information gived me by a server. How can i do this? If you speak about an ipfw divert rules, then you can see the sbin/ipfw source code as example. -- WBR, Andrey V. Elsukov

Re: kern/60154: [ipfw] ipfw core (crash)

2005-12-07 Thread Andrey V. Elsukov
The following reply was made to PR kern/60154; it has been noted by GNATS. From: Andrey V. Elsukov [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: kern/60154: [ipfw] ipfw core (crash) Date: Thu, 08 Dec 2005 08:58:02 +0300 This is a multi-part message in MIME format

Re: kern/60154: [ipfw] ipfw core (crash)

2005-12-16 Thread Andrey V. Elsukov
Maxim Konovalov wrote: Synopsis: [ipfw] ipfw core (crash) http://www.freebsd.org/cgi/query-pr.cgi?pr=60154 I have updated patch and make the perl script for testing. -- WBR, Andrey V. Elsukov #!/usr/local/bin/perl -w

Re: FreeBSD 6.0 Buffer Overrrun System Crash

2006-04-12 Thread Andrey V. Elsukov
to you. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

[patch] ipfw packet tagging

2006-05-10 Thread Andrey V. Elsukov
: http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ipfw + nat

2006-06-08 Thread Andrey V. Elsukov
natd tcp from 192.x.x.x 80 to any out xmit $ExtIf $ExtIf - external interface. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [fbsd] [patch] ipfw packet tagging

2006-06-21 Thread Andrey V. Elsukov
patch that uses a tableargs feature with ipfw_tags to CURRENT: http://docs.freebsd.org/cgi/mid.cgi?200606150939.k5F9dMrB019958 -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw

Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION

2006-06-27 Thread Andrey V. Elsukov
The following reply was made to PR kern/80642; it has been noted by GNATS. From: Andrey V. Elsukov [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Subject: Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION Date: Tue, 27 Jun 2006 16:39:21 +0400 I think this PR can be closed. I

Re: bin/102422: ipfw kernel problems where firewall rules aren't interpreted correctly

2006-08-28 Thread Andrey V. Elsukov
The following reply was made to PR bin/102422; it has been noted by GNATS. From: Andrey V. Elsukov [EMAIL PROTECTED] To: Stephen E. Halpin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], Oleg Bulyzhin [EMAIL PROTECTED], Gleb Smirnoff [EMAIL PROTECTED], Luigi Rizzo [EMAIL PROTECTED

Re: ipfw buffers too small?

2006-09-17 Thread Andrey V. Elsukov
/msg00634.html -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: A bit weird code

2006-09-18 Thread Andrey V. Elsukov
:) If you mean this code: if (do_cmd(IP_FW_ADD, rule, (uintptr_t)i) == -1) err(EX_UNAVAILABLE, getsockopt(%s), IP_FW_ADD); I think this is copypaste bug :) -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http

Re: Adding opcode in ipfw_opcodes

2006-09-19 Thread Andrey V. Elsukov
/netinet to CFLAGS or replace /usr/include/netinet/ip_fw.h with a new ip_fw.h. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: kern/103454: [ipfw] [patch] add a facility to modify DF bit of the IP packet

2006-09-21 Thread Andrey V. Elsukov
; + break; + default: + goto next_rule; + /* NOTREACHED */ We can check cmd-arg1 for correct values in the ipfw_chk function. -- WBR, Andrey V. Elsukov

Re: ipfw versions - /usr/src/sbin

2006-10-05 Thread Andrey V. Elsukov
FreeBSD version you use? And why you want to use another version of ipfw? Please, provide output of these commands: # uname -a # sysctl kern | grep osrel # grep ^REV /usr/src/sys/conf/newvers.sh # ident /usr/src/sbin/ipfw/ipfw2.c # ident /usr/src/sys/netinet/ip_fw.h -- WBR, Andrey V. Elsukov

Re: ipfw versions - /usr/src/sbin

2006-10-06 Thread Andrey V. Elsukov
/sbin setenv CVSROOT [EMAIL PROTECTED]:/home/ncvs setenv CVS_RSH ssh To get a RELENG_6_1 sources try this command: cvs co -r RELENG_6_1 src/sbin/ipfw -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman

ipfw tracing

2006-10-24 Thread Andrey V. Elsukov
. How to use: # ipfw add 1 count tag SOME_TAG RULE_BODY # sysctl net.inet.ip.fw.trace_tag=SOME_TAG # tail -f /var/log/security SOME_TAG - some tag number RULE_BODY - rule for matching needed packets What you think about that? -- WBR, Andrey V. Elsukov

Re: ipfw tracing

2006-10-24 Thread Andrey V. Elsukov
limiting.. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Request fro source code

2007-03-20 Thread Andrey V. Elsukov
/sbin/ipfw/ -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: System calls

2007-03-26 Thread Andrey V. Elsukov
arjun badarinath пишет: Hi all, I wanted to know wat these system calls actually do . ip_dn_ctl_ptr ip_dn_io_ptr ip_dn_ruledel_ptr It's not a system calls. It's a pointers for the interaction with dummynet. -- WBR, Andrey V. Elsukov

[patch] /sbin/ipfw - mac/mac-type show as an options (small fix)

2007-04-16 Thread Andrey V. Elsukov
fix for this: http://butcher.heavennet.ru/patches/other/ipfw_mac_fix/ipfw2.c.diff My tests don't show other break, what you think about this patch? -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman

Re: kern/107305: [ipfw] ipfw fwd doesn't seem to work

2007-04-26 Thread Andrey V. Elsukov
The following reply was made to PR kern/107305; it has been noted by GNATS. From: Andrey V. Elsukov [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: kern/107305: [ipfw] ipfw fwd doesn't seem to work Date: Fri, 27 Apr 2007 08:46:09 +0400 Hi, IP Address

Re: kern/107305: [ipfw] ipfw fwd doesn't seem to work

2007-04-27 Thread Andrey V. Elsukov
Julian Elischer wrote: This was fixed in 6.[later] (6.2 at least, maybe 6.1) (The need for the EXTENDED option) Yes, i know. I think this PR can be closed. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org

Re: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper characters

2007-05-02 Thread Andrey V. Elsukov
The following reply was made to PR bin/80913; it has been noted by GNATS. From: Andrey V. Elsukov [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED], Maxim Konovalov [EMAIL PROTECTED] Cc: Subject: Re: bin/80913: [patch] /sbin/ipfw2 silently discards MAC addr arg with improper

Re: Problem applying TOS/DSCP patch in 6.2 RELEASE

2007-05-07 Thread Andrey V. Elsukov
Jim Sifferle wrote: Am I missing some intermediate steps? Thanks for any help... You can try to make with DEBUG_FLAGS=-I/usr/src/sys or replace header /usr/include/netinet/ip_fw.h with patched /usr/src/sys/netinet/ip_fw.h -- WBR, Andrey V. Elsukov

Re: Problem applying TOS/DSCP patch in 6.2 RELEASE

2007-05-07 Thread Andrey V. Elsukov
Jim Sifferle wrote: Am I missing some intermediate steps? Thanks for any help... You can try to make with DEBUG_FLAGS=-I/usr/src/sys or replace header /usr/include/netinet/ip_fw.h with patched /usr/src/sys/netinet/ip_fw.h -- WBR, Andrey V. Elsukov

Re: kern/112708: ipfw is seems to be broken to limit number of connections

2007-05-17 Thread Andrey V. Elsukov
The following reply was made to PR kern/112708; it has been noted by GNATS. From: Andrey V. Elsukov [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Subject: Re: kern/112708: ipfw is seems to be broken to limit number of connections Date: Thu, 17 May 2007 16:42:16 +0400 Hi

[ipfw][patch] manipulation with rules within a specified sets

2007-05-29 Thread Andrey V. Elsukov
for implement a delete rules by template (text of rule), like a cisco-way (no some command). What you think about that? -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw

Re: skipto bug

2007-06-12 Thread Andrey V. Elsukov
. The number 65535 is reserved for the tablearg. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ip6fw byte reporting error in v6

2007-08-08 Thread Andrey V. Elsukov
, include the IPv4 header bytes. Is this a known problem? Is it a more general BSD kernel problem? Probably, you should use ipfw(8) instead of ip6fw(8). ip6fw was removed and it's functional moved into ipfw(8). -- WBR, Andrey V. Elsukov ___ freebsd-ipfw

Re: bin/115372: [ipfw]: ipfw show prints ill result.

2007-08-10 Thread Andrey V. Elsukov
The following reply was made to PR bin/115372; it has been noted by GNATS. From: Andrey V. Elsukov [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Cc: Maxim Konovalov [EMAIL PROTECTED], Oleg Bulyzhin [EMAIL PROTECTED] Subject: Re: bin/115372: [ipfw]: ipfw show prints ill result

Re: ipfw2 deep packet filtering

2007-08-30 Thread Andrey V. Elsukov
? There is no way to discover this information. Maybe, you can parse some specific protocols that contain a MAC addresses within packets. But this is hard and don't give a 100% results. The right way, IMHO, is an VPN-connections between Wireless clients and FreeBSD server. -- WBR, Andrey V

Re: dummynet / ipfw2: panic, double fault

2007-09-03 Thread Andrey V. Elsukov
Hi, I got a trace for this fault. dummynet reinject packet to the ip_input through netisr_dispath. This procedure was done success several times, but in the next time it's fault. (kgdb) p ipfw_chk $1 = (int (*)(struct ip_fw_args *)) 0xc3374ea0 ipfw_chk (kgdb) l *(0xc3374ea0+0x16) 0xc3374eb6 is

Re: bin/116458: [ipfw]: Logging problems with syslog and ipfw an 6.2.REL-p5

2007-09-19 Thread Andrey V. Elsukov
is not related to the ipfw. But you can try this patch: http://people.yandex-team.ru/~sem/FreeBSD/kernel/log_mutex.diff Please, report back if it will help you. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman

Re: bin/113803: [patch] bin/ipfw.8 - don't get bitten by the fwd rule

2007-10-07 Thread Andrey V. Elsukov
) will be good. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: disabling syslog messages?

2007-12-26 Thread Andrey V. Elsukov
or by the kernel itself. I _could_ work around the issue by piping the ipfw: messages to /dev/null in syslogd, but there might be a cleaner solution? If you don't use `ipfw log ...` rules you can reset sysctl variable net.inet.ip.fw.verbose to 0 and these messages will not be logged. -- WBR, Andrey V

Re: kern/121122: [ipfw] [patch] add support to ToS IP PRECEDENCE fields

2008-02-26 Thread Andrey V. Elsukov
://www.freebsd.org/cgi/query-pr.cgi?pr=kern/103454 I added to CC several men who are active in ipfw area. It will be interested what you think about this? -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo

Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION

2008-03-18 Thread Andrey V. Elsukov
as extension to current O_LIMIT opcode or something similar. Also i have question about my current implementation. Does it needed to have ability of humanized printing of limits, which was implemented before? -- WBR, Andrey V. Elsukov ___ freebsd-ipfw

Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION

2008-03-18 Thread Andrey V. Elsukov
IP addresses (currently I'm overlaying it on 32 bit ints) IPV6 addresses. skipto locations byte limits.. Yes, i agree. As I remember, we already talked about this some time ago. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http

Re: kern/121955: [ipfw] [panic] freebsd 7.0 panic with mpd

2008-03-24 Thread Andrey V. Elsukov
into pipe again and again. Check your rules. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: kern/121955: [ipfw] [panic] freebsd 7.0 panic with mpd

2008-03-24 Thread Andrey V. Elsukov
-- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: kern/121955: [ipfw] [panic] freebsd 7.0 panic with mpd

2008-03-24 Thread Andrey V. Elsukov
AT Matik wrote: jaaa well but that is the famous bw 0 example which is not valid, as by itself certainly an invalid config, not connected to the existing problem the reporter has I guess bw 0 is valid example. It's default value. It means unlimited bandwidth. -- WBR, Andrey V. Elsukov

Re: addition to ipfw table..

2008-04-17 Thread Andrey V. Elsukov
? -- WBR, Andrey V. Elsukov Index: src/sbin/ipfw/ipfw2.c === RCS file: /ncvs/src/sbin/ipfw/ipfw2.c,v retrieving revision 1.118 diff -u -p -r1.118 ipfw2.c --- src/sbin/ipfw/ipfw2.c 27 Feb 2008 13:52:33 - 1.118 +++ src/sbin

Re: kern/123174: [ipfw] table add value lists as ip/uint16 instead of uint32.

2008-04-28 Thread Andrey V. Elsukov
list # ifpw -n nat 1 show and probably others command which didn't use `test_only` flag. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL

Re: Syntax base IP

2008-05-06 Thread Andrey V. Elsukov
, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: issues : FreeBSD kernel compile for ipfw support

2008-05-14 Thread Andrey V. Elsukov
reboots. Like in linux we do it in grub.conf You can install grub on the FreeBSD too. 2) Can you also let me know the steps to add ipfw support in kernel? Read the Handbook's article. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing

Re: how much memory does increasing max rules for IPFW take up?

2008-05-15 Thread Andrey V. Elsukov
-allocated, or is it a static memory buffer? Each dynamic rule allocated dynamically. Be careful, too many dynamic rules will work very slow. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo

Re: how much memory does increasing max rules for IPFW take up?

2008-05-15 Thread Andrey V. Elsukov
which may return a false positive, bloomier filters are a refinement which tries to limit the false positives. There were some ideas from Vadim Goncharov about rewriting dynamic rules implementation.. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw

Re: tablearg q'n

2008-06-01 Thread Andrey V. Elsukov
rihad wrote: ipfw add pipe tablearg ip from 'table(0)' to 'table(1)' Which of the two tables will tablearg come from? Last 'table' argument will be used for tablearg. Any way to make the choice explicit? Patches are welcome =) -- WBR, Andrey V. Elsukov

Re: kern/80642: [ipfw] [patch] ipfw small patch - new RULE OPTION

2008-07-09 Thread Andrey V. Elsukov
Paolo Pisati wrote: add packet counter as well. That's all possible with one opcode, though... if anyone post an updated patch, i'll commit it. Hi, Paolo. Any progress in this? I updated patch: http://butcher.heavennet.ru/patches/kernel/ipfw/ipfw_counterlimit.diff -- WBR, Andrey V

Re: svn commit: r200855 - in head/sys: net netgraph netinet netinet/ipfw

2010-02-12 Thread Andrey V. Elsukov
sets enabled, because IP_FW_GET command gets small buffer and after calculating wanted size it returns back without copying anything. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd

Re: kern/144869: [ipfw] [panic] Instant kernel panic when adding NAT rules using ipfw on em interfaces

2010-08-17 Thread Andrey V. Elsukov
The following reply was made to PR kern/144869; it has been noted by GNATS. From: Andrey V. Elsukov a...@freebsd.org To: Ildar Hizbulin hi...@vyborg.ru Cc: bug-follo...@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: kern/144869: [ipfw] [panic] Instant kernel panic when adding NAT rules using

Re: kern/144869: [ipfw] [panic] Instant kernel panic when adding NAT rules using ipfw on em interfaces

2010-08-17 Thread Andrey V. Elsukov
it was merged to stable/8 with r211241. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: bin/156653: ipfw(8) reports missing file as parameter problem

2011-05-02 Thread Andrey V. Elsukov
The following reply was made to PR bin/156653; it has been noted by GNATS. From: Andrey V. Elsukov bu7c...@yandex.ru To: bug-follo...@freebsd.org, jcl...@speakeasy.net Cc: Subject: Re: bin/156653: ipfw(8) reports missing file as parameter problem Date: Mon, 02 May 2011 15:59:16 +0400 Hi

Re: kern/147720: [ipfw] ipfw dynamic rules and fwd

2011-05-29 Thread Andrey V. Elsukov
The following reply was made to PR kern/147720; it has been noted by GNATS. From: Andrey V. Elsukov bu7c...@yandex.ru To: bug-follo...@freebsd.org, dima_...@inbox.lv Cc: Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd Date: Sun, 29 May 2011 14:41:03 +0400 This is an OpenPGP/MIME

Re: kern/150798: [ipfw] ipfw2 fwd rule matches packets but does not do the job in fact.

2011-05-30 Thread Andrey V. Elsukov
The following reply was made to PR kern/150798; it has been noted by GNATS. From: Andrey V. Elsukov a...@freebsd.org To: bug-follo...@freebsd.org, a...@holymail.biz Cc: Subject: Re: kern/150798: [ipfw] ipfw2 fwd rule matches packets but does not do the job in fact. Date: Mon, 30 May 2011 15:37

Re: kern/147720: [ipfw] ipfw dynamic rules and fwd

2011-05-30 Thread Andrey V. Elsukov
The following reply was made to PR kern/147720; it has been noted by GNATS. From: Andrey V. Elsukov a...@freebsd.org To: bug-follo...@freebsd.org, dima_...@inbox.lv Cc: Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd Date: Mon, 30 May 2011 15:37:52 +0400 Hi, Can you test

Re: kern/148157: [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1-PRERELEASE

2011-05-31 Thread Andrey V. Elsukov
The following reply was made to PR kern/148157; it has been noted by GNATS. From: Andrey V. Elsukov a...@freebsd.org To: bug-follo...@freebsd.org, poo...@hotmail.com, Vladislav Yershov vyers...@umc.com.ua Cc: Subject: Re: kern/148157: [ipfw] IPFW in kernel nat BUG found in FreeBSD 8.1

Re: kern/157379: [ipfw] mtr does not work if I use ipfw nat

2011-06-06 Thread Andrey V. Elsukov
The following reply was made to PR kern/157379; it has been noted by GNATS. From: Andrey V. Elsukov a...@freebsd.org To: bug-follo...@freebsd.org, kes-...@yandex.ru Cc: Subject: Re: kern/157379: [ipfw] mtr does not work if I use ipfw nat Date: Mon, 06 Jun 2011 09:51:09 +0400 Hi, Can you

Re: kern/131817: [ipfw] blocks layer2 packets that should not be blocked

2011-07-01 Thread Andrey V. Elsukov
The following reply was made to PR kern/131817; it has been noted by GNATS. From: Andrey V. Elsukov a...@freebsd.org To: bug-follo...@freebsd.org, eu...@grosbein.pp.ru Cc: Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be blocked Date: Fri, 01 Jul 2011 12:56:14 +0400

Re: ipfw fwd on FreeBSD 8.1, does it work?

2011-07-05 Thread Andrey V. Elsukov
does not work when ipfw loaded as module. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: fwd in ipfw module

2011-08-03 Thread Andrey V. Elsukov
On 03.08.2011 14:28, timp wrote: Do you know solution (for GENERIC kernel) that can port forwarding? I found /usr/ports/net/rinetd You can use pf(4). -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org

Re: ipfw features

2011-10-25 Thread Andrey V. Elsukov
On 25.10.2011 17:19, Серега Гончаров wrote: Hi all. Is there some plans to make ipfw can change ip header fields of going throught packets, like TTL, DF flag etc. pf and iptables can, so maybe in freebsd 9 it will be implemented? thanks. You can use ng_patch(4) for that. -- WBR, Andrey V

Re: IPFW tables trouble

2012-05-16 Thread Andrey V. Elsukov
:/usr/obj/usr/src/sys/GENERIC amd64 Hi, Can you try update your 9.0-STABLE and test it again? There were some changes related to tables. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd

[RFC] Enabling IPFIREWALL_FORWARD in run-time

2012-10-19 Thread Andrey V. Elsukov
/pfil_forward.diff Also we have done some tests with the ixia traffic generator connected via 10G network adapter. Tests have show that there is no visible difference, and there is no visible performance degradation. Any objections? -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP

Re: [RFC] Enabling IPFIREWALL_FORWARD in run-time

2012-10-19 Thread Andrey V. Elsukov
is undesirable, because we can have kernel without ipfw. So, i decided to choose pfil, because it could not work without pfil. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW fwd not working after upgrade from 9.2 to 10.0

2014-02-06 Thread Andrey V. Elsukov
, which I'd like to use for responses to connections coming on on vtnet1. Under 9.2, the below worked fine: Hi, you can apply this patch: http://svnweb.freebsd.org/base?view=revisionrevision=260702 -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org

Re: IPFW fwd not working after upgrade from 9.2 to 10.0

2014-02-06 Thread Andrey V. Elsukov
On 06.02.2014 12:31, Andrey V. Elsukov wrote: On 06.02.2014 04:08, John Nielsen wrote: I have been using IPFW FWD to do per-interface routing on a VM instance. The default gateway is on interface vtnet0, but there is a second interface, vtnet1, on a different network with its own public IP

Re: how does it pass in the rule sets

2014-04-21 Thread Andrey V. Elsukov
) functions to interact with kernel. In particular, do_cmd() function from ipfw2.c does it. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd

Re: how does it pass in the rule sets

2014-04-21 Thread Andrey V. Elsukov
On 21.04.2014 19:14, bycn82 wrote: On 4/21/14 22:34, Andrey V. Elsukov wrote: On 19.04.2014 11:45, bycn82 wrote: Hi, can someone help to explain how does the user land command `ipfw` pass the rule set into the hook function in the kernel? I assume that it must be hardcoded in somewhere

Re: net.inet{,6}.fw.enable in /etc/rc

2014-09-22 Thread Andrey V. Elsukov
before running rc.d scripts at boot time, and enables it again in rc.d/ipfw script. Hi, I think this should be configurable, the change can be an unexpected for someone. -- WBR, Andrey V. Elsukov ___ freebsd-ipfw@freebsd.org mailing list http

Re: reass all from any to any kills IPv6 packets

2015-03-05 Thread Andrey V. Elsukov
? Both :) Hit this bug several years ago, seems it is still here AFAIR, I made the patch for such PR, but nobody wanted to test it :) https://people.freebsd.org/~ae/ipfw_ip6reass.diff Probably now I can test it myself a bit later. -- WBR, Andrey V. Elsukov signature.asc Description

Re: chnage source of IPFW

2015-06-01 Thread Andrey V. Elsukov
, you need to modify ip_fw_sockopt.c:check_ipfw_rule_body() function. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: panic: refcount inconsistency: found: 0 total: 1

2015-11-03 Thread Andrey V. Elsukov
age. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: proxy_rule is missing in kernel nat?

2015-09-28 Thread Andrey V. Elsukov
it looks like proxy_rule was forgotten when it was ported. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-06-07 Thread Andrey V. Elsukov
ld be branched. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-06-08 Thread Andrey V. Elsukov
understand - beyond descriptions in > the abstract case; ie an actual working dual- or multi-flow example. > > I know these are "just doc" issues of little importance while testing > working code, and I haven't supplied any patches, so are just FWIW .. Will try to implement support for limit rules and update man. Thanks. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-06-10 Thread Andrey V. Elsukov
iggers this opcode. So, you introduced new implicit behavior while thinking that resolve old wrong behavior. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-06-15 Thread Andrey V. Elsukov
s://reviews.freebsd.org/D6674 Also I reworked Lev's patch on top of my patch and made it simpler: https://reviews.freebsd.org/D1776#143557 -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-06-06 Thread Andrey V. Elsukov
deferred action looks too hackish to me. With the following patch you will be able create two different states, I think, and solve your task with NAT and dynamic rules: https://reviews.freebsd.org/D6674 -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: [RFC] ipfw named states support

2016-05-30 Thread Andrey V. Elsukov
On 30.05.16 07:56, Julian Elischer wrote: > On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote: >> Hi All, >> >> We have the patch that adds named states support to ipfw. > > like it and have wished for this for along time > this allows per-interface state. Can stat

Re: ALPHA3 panic with ipfw+dummynet and gif/gre tunnels

2016-06-17 Thread Andrey V. Elsukov
Hi, this is known issue. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209466 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=162558 It looks the same, but for IPv6. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPv6 NAT

2016-04-30 Thread Andrey V. Elsukov
oo. Hi, we have implemented IPv6 NPT (RFC 6296) and basic NAT64 (stateless and statefull) for ipfw. Currently we are preparing to commit them into FreeBSD head/. I hope I'll do this in several weeks before 11.0 freeze. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

[RFC] ipfw named states support

2016-05-18 Thread Andrey V. Elsukov
isting rulesets. Probably, we can add some mandatory prefix to state name, e.g. ':'. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Significant missing item in 11.0 release notes

2016-08-01 Thread Andrey V. Elsukov
c tables will be created automatically (with warning). -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: your thoughts on a particualar ipfw action.

2016-08-02 Thread Andrey V. Elsukov
ablearg skipto is very inefficient. It's also a hard thing to set up > with a set of rules for each country (how many countries are there in > the internet allocation system?). You can build ipfw with enabled LINEAR_SKIPTO and use the same rules for most countries. -- WBR, Andrey V. Elsukov signat

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-08-03 Thread Andrey V. Elsukov
R, this was a part of "per-interface firewall" patch from eri@ and I think it is mostly outdated now, because in head/ we did very complex changes in ipfw. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-08-03 Thread Andrey V. Elsukov
On 03.08.16 22:07, Lev Serebryakov wrote: > On 03.08.2016 21:03, Andrey V. Elsukov wrote: > >>> 1/ ability to use keep-state without an implicit check-state. <--- most >>> important for me. (store-state)? >>> 2/ ability to keep-state without actually doin

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-08-04 Thread Andrey V. Elsukov
similar, that was described by Lev. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW: more "orthogonal? state operations, push into 11?

2016-08-04 Thread Andrey V. Elsukov
eated this rule :) -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Named states in ipfw (and old rulesets)

2016-08-14 Thread Andrey V. Elsukov
p from any to any // Allowed local services > - common block > > So, yes, comment is lost! It looks it never worked due to "goto done" in the code. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: names for limit states?

2016-08-14 Thread Andrey V. Elsukov
On 14.08.16 15:04, Lev Serebryakov wrote: > Hello Ae, > > Looks like you didn't add names support for states with limits? Why? For me it looks like I did that. Why would you think differently? :) -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Strange printing of rule with "unreach6" action

2016-07-19 Thread Andrey V. Elsukov
emoved) > > unreach6 address16005 80 5574 ip6 from any to 2001:4de0:ac10::1:1:14 I think it should be fixed after r297981. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: ipfw kernel NAT performance much worse in 11-Stable than 10-Stable

2017-08-31 Thread Andrey V. Elsukov
X: > nat 1 ip4 from any to any via igb1 > > I can provide the full set of rules if needed, but I think only those > two lines are relevant. > > Does anybody please have any ideas on this, please? Can you show the output of `ifconfig igb1 | grep flags` on stab

Re: ipfw kernel NAT performance much worse in 11-Stable than 10-Stable

2017-08-31 Thread Andrey V. Elsukov
On 31.08.2017 13:01, Andrey V. Elsukov wrote: >> Does anybody please have any ideas on this, please? > > Can you show the output of `ifconfig igb1 | grep flags` on stable/10 and > stable/11? Sorry, I wanted to write `ifconfig igb1 | grep options`. -- WBR, Andrey V. Elsukov

Re: ipfw kernel NAT performance much worse in 11-Stable than 10-Stable

2017-08-31 Thread Andrey V. Elsukov
<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> > You need to disable TSO on your interface, ipfw nat is not compatible with TCP segmentation offloading (this is noted in ipfw(8) BUGS section). Try to use: ifconfig igb1 -vlanhwtso -tso4 You can add these option to "ifconfig_igb1" variabl

Re: ipfw pipe show yields "REDZONE: Buffer overflow detected..."

2017-12-20 Thread Andrey V. Elsukov
ses, but they are associated with the commands -- this is trivially > reproducible (for me, anyway). It would be nice if you created PR where you described steps to reproduce this. Your kernel/modules config, commands you used to get this result. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

  1   2   >