Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
Old Synopsis: ipfw option `in` is not working on FreeBSD10 New Synopsis: [ipfw] ipfw option `in` is not working on FreeBSD10 Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Wed Apr 16 01:40:14 UTC 2014 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=188543 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
The following reply was made to PR kern/188543; it has been noted by GNATS. From: lhmwzy To: bug-follo...@freebsd.org Cc: Subject: Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10 Date: Wed, 16 Apr 2014 10:33:34 +0800 --001a11c14da43b033404f71fbe29 Content-Type: text/plain; charset=UTF-8 I have tested under 10.0 and the count is alwayls 0. #sysctl -a|grep ipfw net.link.ether.ipfw:1 under 8.4 and 9.2,the count is correct. --001a11c14da43b033404f71fbe29 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I have tested under 10.0 and the=C2=A0 count is = alwayls 0.#sysctl -a|grep ipfwnet.link.ether.ipfw:1under 8.4 and 9.2,the count is correct. --001a11c14da43b033404f71fbe29-- ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
thanks for commenting, for testing i started to read the source code this morning when i was in the mrt. i was a java developer and the source code for i have to said "what a mess!" On Wed, 16 Apr 2014 10:40:00 +0800, lhmwzy wrote: The following reply was made to PR kern/188543; it has been noted by GNATS. From: lhmwzy To: bug-follo...@freebsd.org Cc: Subject: Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10 Date: Wed, 16 Apr 2014 10:33:34 +0800 --001a11c14da43b033404f71fbe29 Content-Type: text/plain; charset=UTF-8 I have tested under 10.0 and the count is alwayls 0. #sysctl -a|grep ipfw net.link.ether.ipfw:1 under 8.4 and 9.2,the count is correct. --001a11c14da43b033404f71fbe29 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I have tested under 10.0 and the=C2=A0 count is = alwayls 0.#sysctl -a|grep ipfwnet.link.ether.ipfw:1 div>under 8.4 and 9.2,the count is correct. --001a11c14da43b033404f71fbe29-- ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
The following reply was made to PR kern/188543; it has been noted by GNATS. From: lhmwzy To: bug-follo...@freebsd.org, byc...@gmail.com Cc: Subject: Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10 Date: Wed, 16 Apr 2014 21:12:42 +0800 --001a11c12c1af3685704f728aba7 Content-Type: text/plain; charset=UTF-8 Under 10.0 00100 0 0 count ip from any to any MAC any any in via em0 00200 0 0 count ip from any to any MAC any 00:0c:29:f4:d8:75 in via em0 00400 0 0 count ip from any to any MAC any 00:0c:29:f4:d8:75 in these rules's count are 0 00300 2999 1089504 count ip from any to any MAC any 00:0c:29:f4:d8:75 00500 2959 287441 count ip from any to any out 00600 812 113255 count ip from any to any in 00700 45 8952 count ip from any to any MAC any 00:0c:29:f4:d8:75 out These rules look like working normal 00:0c:29:f4:d8:75 is MAC of my em0 --001a11c12c1af3685704f728aba7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Under 10.000100 0 0 count ip from any to any = MAC any any in via em0 =C2=A000200 0 0 count ip from any to any MAC any= 00:0c:29:f4:d8:75 in via em0 =C2=A000400 0 0 count ip from any to any = MAC any 00:0c:29:f4:d8:75 in these rules's count are 0 =C2=A000300 2999 1089504 count ip= from any to any MAC any 00:0c:29:f4:d8:75 =C2=A000500 2959 287441 coun= t ip from any to any out =C2=A000600 812 113255 count ip from any to an= y in =C2=A000700 45 8952 count ip from any to any MAC any 00:0c:29:f4:d= 8:75 out =C2=A0These rules look like working normal=C2=A000:= 0c:29:f4:d8:75 is MAC of my em0 --001a11c12c1af3685704f728aba7-- ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
Synopsis: [ipfw] ipfw option `in` is not working on FreeBSD10 Responsible-Changed-From-To: freebsd-ipfw->ae Responsible-Changed-By: ae Responsible-Changed-When: Wed Apr 16 14:19:42 UTC 2014 Responsible-Changed-Why: Take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=188543 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
tks for ur testing, u r right, that s the reason y i said the `in` option is not functioning properly. and who is the guy maintains the source of ipfw. two things i want to said to him, 1. the source of ipfw is cool,amazingly powerful, by reading the source code, it found actually it checked more things then what i expected. more feature than what i assumed.good job! 2.today it is my first perusal of the a system's source code,maybe it is your standard, but for me it s really disgusting! anyway, since it is still under your control, Best Regards, Bill Yuan On Wed, 16 Apr 2014 21:20:00 +0800, lhmwzy wrote: The following reply was made to PR kern/188543; it has been noted by GNATS. From: lhmwzy To: bug-follo...@freebsd.org, byc...@gmail.com Cc: Subject: Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10 Date: Wed, 16 Apr 2014 21:12:42 +0800 --001a11c12c1af3685704f728aba7 Content-Type: text/plain; charset=UTF-8 Under 10.0 00100 0 0 count ip from any to any MAC any any in via em0 00200 0 0 count ip from any to any MAC any 00:0c:29:f4:d8:75 in via em0 00400 0 0 count ip from any to any MAC any 00:0c:29:f4:d8:75 in these rules's count are 0 00300 2999 1089504 count ip from any to any MAC any 00:0c:29:f4:d8:75 00500 2959 287441 count ip from any to any out 00600 812 113255 count ip from any to any in 00700 45 8952 count ip from any to any MAC any 00:0c:29:f4:d8:75 out These rules look like working normal 00:0c:29:f4:d8:75 is MAC of my em0 --001a11c12c1af3685704f728aba7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Under 10.000100 0 0 count ip from any to any = MAC any any in via em0 =C2=A000200 0 0 count ip from any to any MAC any= 00:0c:29:f4:d8:75 in via em0 =C2=A000400 0 0 count ip from any to any = MAC any 00:0c:29:f4:d8:75 in these rules's count are 0 =C2=A000300 2999 1089504 count ip= from any to any MAC any 00:0c:29:f4:d8:75 =C2=A000500 2959 287441 coun= t ip from any to any out =C2=A000600 812 113255 count ip from any to an= y in =C2=A000700 45 8952 count ip from any to any MAC any 00:0c:29:f4:d= 8:75 out =C2=A0These rules look like working normal=C2=A000:= 0c:29:f4:d8:75 is MAC of my em0 --001a11c12c1af3685704f728aba7-- ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
Cool! I just finished the overview of the source code,and finally understood the `for loop` in the ip_fw2.c roughly, beside of the coding style,sorry for my ironic words, I want to ask whether my understanding is correct. you wrap the packet/frame in the `check frame` or `check packet` which where invoked in the hook() function, and pass it into the chk() function and the chk() function will check the `args` against the whole rule set.( the `chain` variable) so my question is , does it mean that all the packet need to be checked against all the firewall rule, sorry I did not have time to check/understand how we generate the `chain` yet, If it is really working in this case, I cannot accept that personally! according to the man page, we have 4 `check point`, I assumed that we have registered the hook() into 4 different places, for saying , if I have 10K lines of rules which are for 4st `check point` only, based on current logic, each packet/frame need to check against the rules for 4 times, and actually in the 1 2 3rd `check-point` ,the verification are not needed. I hope i was wrong, Can someone kindly explain the correct logic ? thanks very much! On Wed, 16 Apr 2014 22:20:00 +0800, wrote: Synopsis: [ipfw] ipfw option `in` is not working on FreeBSD10 Responsible-Changed-From-To: freebsd-ipfw->ae Responsible-Changed-By: ae Responsible-Changed-When: Wed Apr 16 14:19:42 UTC 2014 Responsible-Changed-Why: Take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=188543 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
Hi According to the `loop` in the chk() function, everytime it was invoked, the arg will be checked against `the chain`, so I assumed that the same is always the same, I saw that, `the chain` is always `V_layer3_chain`, but I did not find any V_layer2_chain !!! So I assumed that currently it always using the same`chain`. If so , is it better to separate the rules into multiple `chain`? for saying , chain1 chain2 chain3 chain4, and differnet `check point`s are going to use its own chain accordingly ? Respect your effort, and I want to say `thanks` here, Thanks! Best Regards, Bill Yuan On Wed, 16 Apr 2014 23:23:03 +0800, bycn82 wrote: Cool! I just finished the overview of the source code,and finally understood the `for loop` in the ip_fw2.c roughly, beside of the coding style,sorry for my ironic words, I want to ask whether my understanding is correct. you wrap the packet/frame in the `check frame` or `check packet` which where invoked in the hook() function, and pass it into the chk() function and the chk() function will check the `args` against the whole rule set.( the `chain` variable) so my question is , does it mean that all the packet need to be checked against all the firewall rule, sorry I did not have time to check/understand how we generate the `chain` yet, If it is really working in this case, I cannot accept that personally! according to the man page, we have 4 `check point`, I assumed that we have registered the hook() into 4 different places, for saying , if I have 10K lines of rules which are for 4st `check point` only, based on current logic, each packet/frame need to check against the rules for 4 times, and actually in the 1 2 3rd `check-point` ,the verification are not needed. I hope i was wrong, Can someone kindly explain the correct logic ? thanks very much! On Wed, 16 Apr 2014 22:20:00 +0800, wrote: Synopsis: [ipfw] ipfw option `in` is not working on FreeBSD10 Responsible-Changed-From-To: freebsd-ipfw->ae Responsible-Changed-By: ae Responsible-Changed-When: Wed Apr 16 14:19:42 UTC 2014 Responsible-Changed-Why: Take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=188543 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
Re: kern/188543: [ipfw] ipfw option `in` is not working on FreeBSD10
On 4/16/14, 11:40 PM, bycn82 wrote: Hi According to the `loop` in the chk() function, everytime it was invoked, the arg will be checked against `the chain`, so I assumed that the same is always the same, I saw that, `the chain` is always `V_layer3_chain`, but I did not find any V_layer2_chain !!! So I assumed that currently it always using the same`chain`. If so , is it better to separate the rules into multiple `chain`? for saying , chain1 chain2 chain3 chain4, and differnet `check point`s are going to use its own chain accordingly ? you can do that with 1 chain, by using the 'skipto' command to make packets from different entry-points skipto different rule numbers. Respect your effort, and I want to say `thanks` here, Thanks! Best Regards, Bill Yuan On Wed, 16 Apr 2014 23:23:03 +0800, bycn82 wrote: Cool! I just finished the overview of the source code,and finally understood the `for loop` in the ip_fw2.c roughly, beside of the coding style,sorry for my ironic words, I want to ask whether my understanding is correct. you wrap the packet/frame in the `check frame` or `check packet` which where invoked in the hook() function, and pass it into the chk() function and the chk() function will check the `args` against the whole rule set.( the `chain` variable) so my question is , does it mean that all the packet need to be checked against all the firewall rule, sorry I did not have time to check/understand how we generate the `chain` yet, If it is really working in this case, I cannot accept that personally! according to the man page, we have 4 `check point`, I assumed that we have registered the hook() into 4 different places, for saying , if I have 10K lines of rules which are for 4st `check point` only, based on current logic, each packet/frame need to check against the rules for 4 times, and actually in the 1 2 3rd `check-point` ,the verification are not needed. I hope i was wrong, Can someone kindly explain the correct logic ? thanks very much! On Wed, 16 Apr 2014 22:20:00 +0800, wrote: Synopsis: [ipfw] ipfw option `in` is not working on FreeBSD10 Responsible-Changed-From-To: freebsd-ipfw->ae Responsible-Changed-By: ae Responsible-Changed-When: Wed Apr 16 14:19:42 UTC 2014 Responsible-Changed-Why: Take it. http://www.freebsd.org/cgi/query-pr.cgi?pr=188543 ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org" ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
