[Bug 217391] [ipfw] [panic] erroneous ipfw rule triggers KASSERT
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217391 Mark Linimonchanged: What|Removed |Added Assignee|freebsd-b...@freebsd.org|freebsd-ipfw@FreeBSD.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: dummynet loses ports mask bits
On 1/3/17 1:54 am, Julian Elischer wrote: On 1/3/17 1:46 am, Luigi Rizzo wrote: On Tue, Feb 28, 2017 at 9:27 AM, Julian Elischerwrote: In the following example it appears that the mask bits for the port number are lost. before I raise a bug.. is there anyone who can see that I am doing anything wrong? I'm not sure what the q131053 stuff is about either, but.. q131053 is the internal name for the queue associated with the pipe (pipe# + 0x1). I am not sure if the mask supports ip/port notation (dst-ip covers only the address part). Of course the real bug is that the parser should be more strict and complain about extra/ignored fields. But the ipfw parser is full of these things. cheers luigi my error is I should have used dst-port 0x000f not /0x000f seems to be working now -- FreeBSD fb10-cc03.kumo.com 10.3-RELEASE-p16 : Wed Feb 22 14:40:53 UTC 2017 amd64 fb10-cc03# ipfw pipe 11 config mask dst-ip 0x00ff/0x0fff bw 200Kbit/s fb10-cc03# ipfw pipe show 00011: 200.000 Kbit/s0 ms burst 0 q131083 50 sl. 0 flows (1 buckets) sched 65547 weight 0 lmax 0 pri 0 droptail sched 65547 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0x/0x -> 0x00ff/0x btw ipfw pipe show only shows queues currently active. is there a way to see 'queues active in the last few seconds"? ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: dummynet loses ports mask bits
On 1/3/17 1:46 am, Luigi Rizzo wrote: On Tue, Feb 28, 2017 at 9:27 AM, Julian Elischerwrote: In the following example it appears that the mask bits for the port number are lost. before I raise a bug.. is there anyone who can see that I am doing anything wrong? I'm not sure what the q131053 stuff is about either, but.. q131053 is the internal name for the queue associated with the pipe (pipe# + 0x1). I am not sure if the mask supports ip/port notation (dst-ip covers only the address part). Of course the real bug is that the parser should be more strict and complain about extra/ignored fields. But the ipfw parser is full of these things. cheers luigi my error is I should have used dst-port 0x000f not /0x000f seems to be working now -- FreeBSD fb10-cc03.kumo.com 10.3-RELEASE-p16 : Wed Feb 22 14:40:53 UTC 2017 amd64 fb10-cc03# ipfw pipe 11 config mask dst-ip 0x00ff/0x0fff bw 200Kbit/s fb10-cc03# ipfw pipe show 00011: 200.000 Kbit/s0 ms burst 0 q131083 50 sl. 0 flows (1 buckets) sched 65547 weight 0 lmax 0 pri 0 droptail sched 65547 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0x/0x -> 0x00ff/0x ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: dummynet loses ports mask bits
On 1/3/17 1:27 am, Julian Elischer wrote: In the following example it appears that the mask bits for the port number are lost. before I raise a bug.. is there anyone who can see that I am doing anything wrong? just realised I'm using wrong syntax need "mask dst-port" fooled by the fact there was no error. I'm not sure what the q131053 stuff is about either, but.. -- FreeBSD fb10-cc03.kumo.com 10.3-RELEASE-p16 : Wed Feb 22 14:40:53 UTC 2017 amd64 fb10-cc03# ipfw pipe 11 config mask dst-ip 0x00ff/0x0fff bw 200Kbit/s fb10-cc03# ipfw pipe show 00011: 200.000 Kbit/s0 ms burst 0 q131083 50 sl. 0 flows (1 buckets) sched 65547 weight 0 lmax 0 pri 0 droptail sched 65547 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0x/0x -> 0x00ff/0x ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: dummynet loses ports mask bits
On Tue, Feb 28, 2017 at 9:27 AM, Julian Elischerwrote: > In the following example it appears that the mask bits for the port number > are lost. > before I raise a bug.. is there anyone who can see that I am doing anything > wrong? > > I'm not sure what the q131053 stuff is about either, but.. q131053 is the internal name for the queue associated with the pipe (pipe# + 0x1). I am not sure if the mask supports ip/port notation (dst-ip covers only the address part). Of course the real bug is that the parser should be more strict and complain about extra/ignored fields. But the ipfw parser is full of these things. cheers luigi > -- > FreeBSD fb10-cc03.kumo.com 10.3-RELEASE-p16 : Wed Feb 22 14:40:53 UTC 2017 > amd64 > > fb10-cc03# ipfw pipe 11 config mask dst-ip 0x00ff/0x0fff bw 200Kbit/s > > fb10-cc03# ipfw pipe show > 00011: 200.000 Kbit/s0 ms burst 0 > q131083 50 sl. 0 flows (1 buckets) sched 65547 weight 0 lmax 0 pri 0 > droptail > sched 65547 type FIFO flags 0x1 64 buckets 0 active > mask: 0x00 0x/0x -> 0x00ff/0x > -- -+--- Prof. Luigi RIZZO, ri...@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/. Universita` di Pisa TEL +39-050-2217533 . via Diotisalvi 2 Mobile +39-338-6809875 . 56122 PISA (Italy) -+--- ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
dummynet loses ports mask bits
In the following example it appears that the mask bits for the port number are lost. before I raise a bug.. is there anyone who can see that I am doing anything wrong? I'm not sure what the q131053 stuff is about either, but.. -- FreeBSD fb10-cc03.kumo.com 10.3-RELEASE-p16 : Wed Feb 22 14:40:53 UTC 2017 amd64 fb10-cc03# ipfw pipe 11 config mask dst-ip 0x00ff/0x0fff bw 200Kbit/s fb10-cc03# ipfw pipe show 00011: 200.000 Kbit/s0 ms burst 0 q131083 50 sl. 0 flows (1 buckets) sched 65547 weight 0 lmax 0 pri 0 droptail sched 65547 type FIFO flags 0x1 64 buckets 0 active mask: 0x00 0x/0x -> 0x00ff/0x ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
[Bug 216719] panic: ipfw_check_frame: unknown retval - while trying to ipfw nat incoming packet without translation state (can be L2 firewall related)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216719 smi...@nimnet.asn.au changed: What|Removed |Added CC||smi...@nimnet.asn.au --- Comment #2 from smi...@nimnet.asn.au --- (In reply to bsd from comment #1) You have set net.link.ether.ipfw=1b Are you using any rules for layer2 ? If not, set that to 0. If so, likely best to follow the example in ipfw(8) /PACKET FLOW to separate layer2 from layer 3 processing, otherwise every rule is tested on both layer2 and layer 3 passes, i.e. usually on each of 4 passes. Which is why adding 'not layer2' to the nat rule fixed it here, but other dragons may lie hidden in other rules checked at both layers. But of course, it shouldn't panic .. backtrace looks all layer2. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
[Bug 216719] panic: ipfw_check_frame: unknown retval - while trying to ipfw nat incoming packet without translation state (can be L2 firewall related)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=216719 --- Comment #1 from b...@kobyla.org --- Adding the "not layer2" to ipfw nat rule helps to avoid this problem -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"