on 20/03/2013 12:35 Alexander V. Chernikov said the following: > Author: melifaro > Date: Wed Mar 20 10:35:33 2013 > New Revision: 248552 > URL: http://svnweb.freebsd.org/changeset/base/248552 > > Log: > Add ipfw support for setting/matching DiffServ codepoints (DSCP). > > Setting DSCP support is done via O_SETDSCP which works for both > IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for > IPv4. > Dscp can be specified by name (AFXY, CSX, BE, EF), by value > (0..63) or via tablearg. > > Matching DSCP is done via another opcode (O_DSCP) which accepts several > classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). [snip] > Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c > ============================================================================== > --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Mar 20 09:56:20 2013 > (r248551) > +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Wed Mar 20 10:35:33 2013 > (r248552) > @@ -671,6 +671,10 @@ check_ipfw_struct(struct ip_fw *rule, in > case O_IPID: > case O_IPTTL: > case O_IPLEN: > + case O_DSCP: > + if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1) > + goto bad_size; > + break; > case O_TCPDATALEN: > case O_TCPWIN: > case O_TAGGED:
Could you please double-check this part of the change? Handling of the new O_DSCP opcode is inserted in the middle of the long fall-through list of cases and thus it modifies behavior of the preceding cases. The commit message does not say anything about that. I've just done my bi-monthly release/upgrade and ipfw now chokes on my ruleset. There is the following message in system log: kernel: ipfw: opcode 0 size 8 wrong Offending rule seems to be: allow ip from any to any via tun* Reverting this commit fixes the problem. Thank you. -- Andriy Gapon _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
