From bugmaster at FreeBSD.org Mon Sep 7 11:07:02 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 7 11:08:45 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200909071107.n87B714S010273@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 62 problems total. From matti.karjalainen at nsn.com Thu Sep 10 06:37:29 2009 From: matti.karjalainen at nsn.com (mkarjal) Date: Thu Sep 10 06:37:36 2009 Subject: IPFW and SCTP port number Message-ID: <25377926.post@talk.nabble.com> Hi, I'm trying to catch SCTP packets with IPFW by SCTP port numbers, should it be working or not? Or is there some different syntax for this? "ipfw add count sctp from any to any" works, counts all SCTP packets. "ipfw add count sctp from any 49606 to any" does not work. Counters show zero reading. I have tried adding IP address, with different port ranges and combinations. I have tested this with 7.2-RELEASE and 8.0-BETA3. regards, Matti -- View this message in context: http://www.nabble.com/IPFW-and-SCTP-port-number-tp25377926p25377926.html Sent from the freebsd-ipfw mailing list archive at Nabble.com. From rizzo at iet.unipi.it Thu Sep 10 06:58:49 2009 From: rizzo at iet.unipi.it (Luigi Rizzo) Date: Thu Sep 10 06:58:55 2009 Subject: IPFW and SCTP port number In-Reply-To: <25377926.post@talk.nabble.com> References: <25377926.post@talk.nabble.com> Message-ID: <20090910064744.GA1149@onelab2.iet.unipi.it> On Wed, Sep 09, 2009 at 11:17:50PM -0700, mkarjal wrote: > > Hi, > > I'm trying to catch SCTP packets with IPFW by SCTP port numbers, should it > be working or not? > Or is there some different syntax for this? > > "ipfw add count sctp from any to any" works, counts all SCTP packets. > > "ipfw add count sctp from any 49606 to any" does not work. Counters show > zero reading. > > I have tried adding IP address, with different port ranges and combinations. > I have tested this with 7.2-RELEASE and 8.0-BETA3. i think at the moment ipfw is not parsing sctp headers so it does not fetch port numbers. cheers luigi From cypher.w at gmail.com Sat Sep 12 07:29:17 2009 From: cypher.w at gmail.com (Cypher Wu) Date: Sat Sep 12 07:29:23 2009 Subject: Is there any one who can give me some opinions about the performance bout IPFW? Message-ID: 1. How many rules configured. 2. The general traffic supported. 3. Hardware platform. ....... I'm thinking to port IPFW to another platform which can support up to 10GbE traffic bidirectional and running in user node, any advise will be appreciated. From cypher.w at gmail.com Sat Sep 12 07:32:54 2009 From: cypher.w at gmail.com (Cypher Wu) Date: Sat Sep 12 07:33:02 2009 Subject: Transparent firewall & Dynamic rules Message-ID: I want to build a transparent firewall based on IPFW. For static rules this is fine, but for dynamic rules, ipfw uses keepalive packet to avoid deleting a dynamic rule that both ends are still alive but don't issue any traffic for a long time. But this means the firewall should have it's own IPs and is not transparent anymore. From rizzo at iet.unipi.it Sat Sep 12 13:03:13 2009 From: rizzo at iet.unipi.it (Luigi Rizzo) Date: Sat Sep 12 13:03:18 2009 Subject: Transparent firewall & Dynamic rules In-Reply-To: References: Message-ID: <20090912130913.GA46135@onelab2.iet.unipi.it> On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: > I want to build a transparent firewall based on IPFW. For static rules > this is fine, but for dynamic rules, ipfw uses keepalive packet to > avoid deleting a dynamic rule that both ends are still alive but don't > issue any traffic for a long time. But this means the firewall should > have it's own IPs and is not transparent anymore. keepalives carry the addresses of the two endpoints, the firewall is not visible. From rizzo at iet.unipi.it Sat Sep 12 13:09:15 2009 From: rizzo at iet.unipi.it (Luigi Rizzo) Date: Sat Sep 12 13:09:21 2009 Subject: Is there any one who can give me some opinions about the performance bout IPFW? In-Reply-To: References: Message-ID: <20090912131516.GB46135@onelab2.iet.unipi.it> On Sat, Sep 12, 2009 at 03:05:51PM +0800, Cypher Wu wrote: > 1. How many rules configured. > 2. The general traffic supported. > 3. Hardware platform. > ....... > > I'm thinking to port IPFW to another platform which can support up to > 10GbE traffic bidirectional and running in user node, any advise will > be appreciated. i am not entirely clear on what you want to do or know but at the end of the dummynet page http://info.iet.unipi.it/~luigi/dummynet/ there are also some papers (and more data should come in the next couple of weeks) measuring the performance of ipfw. On a 2 GHz machine the ipfw overhead alone is 200-500ns per entry in the firewall, plus another 50ns per rule, and another 30-50ns per additional microinstruction. Most of the overhead comes from the rest of the protocol stack; between receive, network stack demux and transmit you can easily consume between 1.5 and 6-7us per packet on the same hardware, depending on the OS and driver. cheers luigi From cypher.w at gmail.com Sat Sep 12 13:42:21 2009 From: cypher.w at gmail.com (Cypher Wu) Date: Sat Sep 12 13:42:27 2009 Subject: Is there any one who can give me some opinions about the performance bout IPFW? In-Reply-To: <20090912131516.GB46135@onelab2.iet.unipi.it> References: <20090912131516.GB46135@onelab2.iet.unipi.it> Message-ID: Thanks. I'll keep an eye at the page you said. Right now it seems the link at the end of it only show some perfomance on Dummynet. The platform I'm using has a very different way comparing to the usual platform we are using. It running a embedded Linux, but for the High speed network interface it supplies a way to get Ethernet directly from the interface driver to user space with zero copy, and no stack needed. Why I'm trying IPFW is because it can be used directly in the Ethernet layer, and only a single checkpoint. Thus I can 'create' a mbuf packet using the buffer I've got from interface driver and pass it into ipfw_chk. So what I care about is the performance about IPFW itself. On Sat, Sep 12, 2009 at 9:15 PM, Luigi Rizzo wrote: > On Sat, Sep 12, 2009 at 03:05:51PM +0800, Cypher Wu wrote: >> 1. How many rules configured. >> 2. The general traffic supported. >> 3. Hardware platform. >> ....... >> >> I'm thinking to port IPFW to another platform which can support up to >> 10GbE traffic bidirectional and running in user node, any advise will >> be appreciated. > > i am not entirely clear on what you want to do or know > but at the end of the dummynet page > > http://info.iet.unipi.it/~luigi/dummynet/ > > there are also some papers (and more data should come in the next > couple of weeks) measuring the performance of ipfw. > > On a 2 GHz machine the ipfw overhead alone is 200-500ns per > entry in the firewall, plus another 50ns per rule, and another > 30-50ns per additional microinstruction. > > Most of the overhead comes from the rest of the protocol stack; > between receive, network stack demux and transmit you can easily > consume between 1.5 and 6-7us per packet on the same hardware, > depending on the OS and driver. > > cheers > luigi > From cypher.w at gmail.com Sat Sep 12 13:51:05 2009 From: cypher.w at gmail.com (Cypher Wu) Date: Sat Sep 12 13:51:13 2009 Subject: Transparent firewall & Dynamic rules In-Reply-To: <20090912130913.GA46135@onelab2.iet.unipi.it> References: <20090912130913.GA46135@onelab2.iet.unipi.it> Message-ID: It's seems fine, but I still have some questions: 1. The endpoint will response to the keepalive TCP segment and the destination will be the other endpoint, will IPFW just let it though like the usual IP packet, or try to figure it out and drop it? 2. If I have two computer I can make sure both end are not using keepalive, then I can still figure out there is a firewall between these two computers? On Sat, Sep 12, 2009 at 9:09 PM, Luigi Rizzo wrote: > On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: >> I want to build a transparent firewall based on IPFW. For static rules >> this is fine, but for dynamic rules, ipfw uses keepalive packet to >> avoid deleting a dynamic rule that both ends are still alive but don't >> issue any traffic for a long time. But this means the firewall should >> have it's own IPs and is not transparent anymore. > > keepalives carry the addresses of the two endpoints, > the firewall is not visible. > > From rizzo at iet.unipi.it Sat Sep 12 14:04:20 2009 From: rizzo at iet.unipi.it (Luigi Rizzo) Date: Sat Sep 12 14:04:26 2009 Subject: Transparent firewall & Dynamic rules In-Reply-To: References: <20090912130913.GA46135@onelab2.iet.unipi.it> Message-ID: <20090912141021.GA46670@onelab2.iet.unipi.it> On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: > It's seems fine, but I still have some questions: > 1. The endpoint will response to the keepalive TCP segment and the > destination will be the other endpoint, will IPFW just let it though > like the usual IP packet, or try to figure it out and drop it? it will let the packet through. > 2. If I have two computer I can make sure both end are not using > keepalive, then I can still figure out there is a firewall between > these two computers? you can disable the keepalives on the firewall (if there is no sysctl for it, it's a trivial code change anyways), and you can set a large timeout. but by definition the presence of a firewall _is_ detectable, unless it blocks nothing so it is just a logger and not a firewall. 'transparent' referred to a middlebox means "it does not require endpoint reconfiguration", not that it is undetectable. From cypher.w at gmail.com Sat Sep 12 14:52:30 2009 From: cypher.w at gmail.com (Cypher Wu) Date: Sat Sep 12 14:52:36 2009 Subject: Transparent firewall & Dynamic rules In-Reply-To: <20090912141021.GA46670@onelab2.iet.unipi.it> References: <20090912130913.GA46135@onelab2.iet.unipi.it> <20090912141021.GA46670@onelab2.iet.unipi.it> Message-ID: Thanks a lot. It seems that I've misunderstood 'transparent firewall'. On Sat, Sep 12, 2009 at 10:10 PM, Luigi Rizzo wrote: > On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: >> It's seems fine, but I still have some questions: >> 1. The endpoint will response to the keepalive TCP segment and the >> destination will be the other endpoint, will IPFW just let it though >> like the usual IP packet, or try to figure it out and drop it? > > it will let the packet through. > >> 2. If I have two computer I can make sure both end are not using >> keepalive, then I can still figure out there is a firewall between >> these two computers? > > you can disable the keepalives on the firewall (if there is no > sysctl for it, it's a trivial code change anyways), and you > can set a large timeout. > > but by definition the presence of a firewall _is_ detectable, > unless it blocks nothing so it is just a logger and not a firewall. > > 'transparent' referred to a middlebox means > "it does not require endpoint reconfiguration", not that > it is undetectable. > From bugmaster at FreeBSD.org Mon Sep 14 11:07:02 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 14 11:08:31 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200909141107.n8EB72l3072374@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 62 problems total. From bugmaster at FreeBSD.org Mon Sep 21 11:06:58 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 21 11:08:35 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200909211106.n8LB6vw1030298@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 62 problems total. From bugmaster at FreeBSD.org Mon Sep 28 11:06:57 2009 From: bugmaster at FreeBSD.org (FreeBSD bugmaster) Date: Mon Sep 28 11:08:29 2009 Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org Message-ID: <200909281106.n8SB6vGF064053@freefall.freebsd.org> Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/136695 ipfw [ipfw] [patch] fwd reached after skipto in dynamic rul o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 62 problems total. From linimon at FreeBSD.org Tue Sep 29 02:29:50 2009 From: linimon at FreeBSD.org (linimon@FreeBSD.org) Date: Tue Sep 29 02:29:56 2009 Subject: kern/139226: [ipfw] install_state: entry already present, done Message-ID: <200909290229.n8T2TnlY011959@freefall.freebsd.org> Old Synopsis: ipfw: install_state: entry already present, done New Synopsis: [ipfw] install_state: entry already present, done Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Sep 29 02:29:28 UTC 2009 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=139226