le t4 add 6,2 0
ignored: 6,2 0
ipfw: Adding record failed: Invalid argument
Hi,
this is due to implementation. Internally a flow table depends from
address family and thus you need to specify an address.
--
WBR, Andrey V. Elsukov
probably this commit caused your problem https://reviews.freebsd.org/D32663
--
WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
ind and delete deprecated addresses from an
interface.
Then NPTv6 module will use first global prefix on the interface.
--
WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
or layer3 IP matching, not for layer2 MAC matching.
We have a patch that adds ability to keep MAC addresses in the tables. I
hope we will push it into upstreem soon.
--
WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
SD's ipfw, than doing porting ipfw from DragonFly. But you can try :)
--
WBR, Andrey V. Elsukov
OpenPGP_signature
Description: OpenPGP digital signature
red behavior?
Hi,
it seems you need to take alook at the 'lookup dst-port tablename' opcode.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
mple I included.
Hi,
I think for 3 interfaces you will not see some noticeable difference,
but when number of interfaces in the table will grow to tens or
hundreds, it will work much better than the plain list of the rules.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 26.11.2019 11:31, Marco van Tol wrote:
> Did you find the time to look further into this?
> If not I understand, no problem.
>
> Let me know if there's anything I can do to help.
Hi,
I'm sorry for the delay, I'll try to finish the patch at this weekend :)
rt to be coming from the router IP on
> the first hop?
>
> Thank you very much in advance!
Hi,
I think I know where is the problem, I'll try to make the patch at the
weekend.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
,
the fix was committed after 12.0-RELEASE, thus you need to apply the
patch, use stable/12 or wait for 12.1-RELEASE.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
addresses in the internal
network, and use NPTv6 with "ext_if external_ifname" option. It will
automatically use configured on the external interface prefix.
This feature is available in stable/12+.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
t; instance with such prefix.
> Are you saying NPTv6 cannot rewrite a LL prefix to a public prefix, such
> as the one held on the external interface?
Yes. Link-local address must belong to the single "link",
IPv6 scoped addresses architecture doesn't allow forward pac
I'l be grateful. Thanks.
NPTv6 module is targeted to translate routed traffic. IPv6 link-local
addresses are not forward-able. Thus you can not configure nptv6
instance with such prefix.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
D flag). But the next rule for
states that don't stop packet processing is the last rule. This is
probably will not fit your requirements.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ewall_logif is set in rc.conf
Hi,
for what purpose do you use ipfw0? Running tcpdump and logger looks very
ugly.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
d be required to make dummynet work with PF? Currently,
> dummynet depends on IPFW, so I guess decoupling is one of the tasks?
Hi,
I think it doesn't really depend from ipfw, you can just remove this
dependency from ip_dummynet.c.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
r/src/sbin/ipfw all install
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ate->proto = IPPROTO_IPV6;
>}
>
>static int
>
>
> unfortunately, ipfw -N show still doesn't print the protocols:
>
> 00800 0 0 allow tcp from any to x.x.x.x 443 in recv bce0
>
Did you reinstall the patched version of ipfw(8)?
# ipfw add count tcp from any to ya.ru 443 out xmit lagg0
00100 count tcp from any to 87.250.250.242 443 out xmit lagg0
# ipfw -N show 100
00100 0 0 count tcp from any to ya.ru https out xmit lagg0
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
me of latest patches from this commit log to your
source code and then test.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
; present only in head/ yet.
>
> Would be nice! I’m on 12-STABLE.
Hi,
I published the patch:
https://reviews.freebsd.org/D17765
For stable/12 you need to apply patch from r339537:
https://reviews.freebsd.org/D17100
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
fy
> the external IPv4 address)
Hi,
I think I can add this feature to ipfw_nptv6 module, but I need some
spare time to implement it. If you are interested, I'll send the patch
to you later. What version do you use? I suspect the patch will use some
features, that are present onl
c rules (those that have "keep-state" or "limit" opcodes),
this means that new rules will initiate the search in dynamic states,
and for existing connection the state will be updated and because of
this, the connection is still work.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
you want to test some patches, you can try :)
I tried to apply the patch and observed that stable/11 has a small
difference in UMA code, so you need to use this patch:
https://people.freebsd.org/~ae/keep_states11.diff
Again, I did not yet teseted it widely, and on stable/11 did not tested
a
ke it working.
I plan to reimplement this feature to be more useful and work with any
rules, and not only with "allow" rules.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
#x27;t work (email is not sent out,but
> dropped on the ipfw by the last deny rule). Seems like the packet
how do you test this?
> sent by sendmail doesn't belong to snmmsp group. I have tried gid
> operator gid mail gid smmsp gid wheel - won't help. How to debug?
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
M_PKTHDR);
else if (len <= MJUM9BYTES)
mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES);
else if (len <= MJUM16BYTES)
mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES);
else
goto bad;
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
gth greater than 4k, ipfw_nat()
function will drop this packet.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
22 in recv em0 not proto ip6
ipfw add 1 allow ip6 from any to me 22 in recv em0 proto tcp
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
2-RELEASE,
but I think it can be resurrected in 11.2-STABLE and 12.0-RELEASE.
I'm sorry about that.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
them were
already fixed, so you can just submit PR or patch, if you don't like
some. Due to huge difference between old tables and what we have now, it
is not always possible for one man to test all old features and properly
merge them with new features.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
net.ip.fw.dyn_ack_lifetime value and
determine the value that will be enough for this host. For example, set
it to 250, 200, 150, 100.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
this should be fixed in freebsd11-stable.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224555
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
again, now for outbound
direction. And it can be matched by "out" and "xmit ed1" opcodes. The
opcode "recv ed0" still can be matched too, but "in" opcode will not
matched.
A packet destined for local host is consumed by local IP stack and will
not forwar
; pauses, but they are associated with the commands -- this is trivially
> reproducible (for me, anyway).
It would be nice if you created PR where you described steps to
reproduce this. Your kernel/modules config, commands you used to get
this result.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
these option to "ifconfig_igb1" variable in rc.conf.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 31.08.2017 13:01, Andrey V. Elsukov wrote:
>> Does anybody please have any ideas on this, please?
>
> Can you show the output of `ifconfig igb1 | grep flags` on stable/10 and
> stable/11?
Sorry, I wanted to write `ifconfig igb1 | grep options`.
--
WBR, Andrey V. Elsukov
X:
> nat 1 ip4 from any to any via igb1
>
> I can provide the full set of rules if needed, but I think only those
> two lines are relevant.
>
> Does anybody please have any ideas on this, please?
Can you show the output of `ifconfig igb1 | grep flags` on stab
p from any to any // Allowed local services
> - common block
>
> So, yes, comment is lost!
It looks it never worked due to "goto done" in the code.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 14.08.16 15:04, Lev Serebryakov wrote:
> Hello Ae,
>
> Looks like you didn't add names support for states with limits? Why?
For me it looks like I did that. Why would you think differently? :)
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
eated this
rule :)
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
hing similar, that
was described by Lev.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 03.08.16 22:07, Lev Serebryakov wrote:
> On 03.08.2016 21:03, Andrey V. Elsukov wrote:
>
>>> 1/ ability to use keep-state without an implicit check-state. <--- most
>>> important for me. (store-state)?
>>> 2/ ability to keep-state without actually doin
AFAIR, this was a part of "per-interface firewall" patch from eri@ and I
think it is mostly outdated now, because in head/ we did very complex
changes in ipfw.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ablearg skipto is very inefficient. It's also a hard thing to set up
> with a set of rules for each country (how many countries are there in
> the internet allocation system?).
You can build ipfw with enabled LINEAR_SKIPTO and use the same rules for
most countries.
--
WBR, Andrey V. Elsukov
s
c tables will be created
automatically (with warning).
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
emoved)
>
> unreach6 address16005 80 5574 ip6 from any to 2001:4de0:ac10::1:1:14
I think it should be fixed after r297981.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
Hi,
this is known issue.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209466
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=162558
It looks the same, but for IPv6.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
. Onwards ..
I updated the patch in
https://reviews.freebsd.org/D6674
Also I reworked Lev's patch on top of my patch and made it simpler:
https://reviews.freebsd.org/D1776#143557
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ow that triggers
this opcode. So, you introduced new implicit behavior while thinking
that resolve old wrong behavior.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
s with potentially problematic stateful issues
> with NAT - which I still don't fully understand - beyond descriptions in
> the abstract case; ie an actual working dual- or multi-flow example.
>
> I know these are "just doc" issues of little importance while testing
> working code, and I haven't supplied any patches, so are just FWIW ..
Will try to implement support for limit rules and update man. Thanks.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
0 would be branched.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
deferred action looks
too hackish to me.
With the following patch you will be able create two different states, I
think, and solve your task with NAT and dynamic rules:
https://reviews.freebsd.org/D6674
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
On 30.05.16 07:56, Julian Elischer wrote:
> On 18/05/2016 10:46 PM, Andrey V. Elsukov wrote:
>> Hi All,
>>
>> We have the patch that adds named states support to ipfw.
>
> like it and have wished for this for along time
> this allows per-interface state. Can stat
?
2. How to commit it? Due to changed syntax it can break existing
rulesets. Probably, we can add some mandatory prefix to state name, e.g.
':'.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
.9, too.
Hi,
we have implemented IPv6 NPT (RFC 6296) and basic NAT64 (stateless and
statefull) for ipfw. Currently we are preparing to commit them into
FreeBSD head/. I hope I'll do this in several weeks before 11.0 freeze.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
breakage.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
stake?
Hi,
it looks like proxy_rule was forgotten when it was ported.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
at error.
>
> Thank you for all of your comments and help.
Probably, you need to modify ip_fw_sockopt.c:check_ipfw_rule_body()
function.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
as expected.
>>
>> Is it documentation bug or implementation bug?
>
> Both :) Hit this bug several years ago, seems it is still here
AFAIR, I made the patch for such PR, but nobody wanted to test it :)
https://people.freebsd.org/~ae/ipfw_ip6reass.diff
Probably
in the patch.
>
> To fix this, the patch turns IPFW off before running rc.d scripts at
> boot time, and enables it again in rc.d/ipfw script.
Hi,
I think this should be configurable, the change can be an unexpected for
someone.
--
WBR, Andrey V. Elsukov
On 21.04.2014 19:14, bycn82 wrote:
> On 4/21/14 22:34, Andrey V. Elsukov wrote:
>> On 19.04.2014 11:45, bycn82 wrote:
>>> Hi,
>>> can someone help to explain how does the user land command `ipfw` pass
>>> the rule set into the hook function in the kernel? I ass
)/getsockopt(2) functions to
interact with kernel. In particular, do_cmd() function from ipfw2.c does it.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send
On 06.02.2014 12:31, Andrey V. Elsukov wrote:
> On 06.02.2014 04:08, John Nielsen wrote:
>> I have been using IPFW FWD to do per-interface routing on a VM
>> instance. The default gateway is on interface vtnet0, but there is a
>> second interface, vtnet1, on a different networ
has its own gateway, which I'd like to
> use for responses to connections coming on on vtnet1. Under 9.2, the
> below worked fine:
Hi,
you can apply this patch:
http://svnweb.freebsd.org/base?view=revision&revision=260702
--
WBR, Andrey V. Elsukov
_
But I think 512
buckets is too many.
2. What hash function is better to use?
3. Using the whole 128 bit of address to hash seems like overkill.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/fr
aybe a simpler Makefile
> or a shell to do this.
You can build only ipfw kernel module from the /usr/src/sys/modules/ipfw.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
e
net.inet.ip.forwarding and net.inet6.ip6.forwarding variables, and
placing it into net.inet.ip.fw is undesirable, because we can have
kernel without ipfw. So, i decided to choose pfil, because it could not
work without pfil.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
/pfil_forward.diff
Also we have done some tests with the ixia traffic generator connected
via 10G network adapter. Tests have show that there is no visible
difference, and there is no visible performance degradation.
Any objections?
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP
t; 2012
> root@localhost:/usr/obj/usr/src/sys/GENERIC amd64
Hi,
Can you try update your 9.0-STABLE and test it again?
There were some changes related to tables.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd
On 25.10.2011 17:19, Серега Гончаров wrote:
> Hi all. Is there some plans to make ipfw can change ip header fields of
> going throught packets, like TTL, DF flag etc. pf and iptables can, so maybe
> in freebsd 9 it will be implemented? thanks.
You can use ng_patch(4) for that.
--
WBR,
bsd.org/cgi/query-pr.cgi?pr=129093, but the patch for 8 branch
> didn't cure anything =(
Can you describe how you did apply and test this patch?
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/m
On 03.08.2011 14:28, timp wrote:
> Do you know solution (for GENERIC kernel) that can port forwarding? I found
> /usr/ports/net/rinetd
You can use pf(4).
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freeb
gt; So you do not need to rebuild the kernel.
fwd does not work when ipfw loaded as module.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
ns IPFIREWALL' in the your kernel config too.
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
The following reply was made to PR kern/131817; it has been noted by GNATS.
From: "Andrey V. Elsukov"
To: bug-follo...@freebsd.org, eu...@grosbein.pp.ru
Cc:
Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be
blocked
Date: Fri, 01 Jul 2011 12:56:14 +0400
The following reply was made to PR kern/157379; it has been noted by GNATS.
From: "Andrey V. Elsukov"
To: bug-follo...@freebsd.org, kes-...@yandex.ru
Cc:
Subject: Re: kern/157379: [ipfw] mtr does not work if I use ipfw nat
Date: Mon, 06 Jun 2011 09:51:09 +0400
Hi,
Can you test
The following reply was made to PR kern/148157; it has been noted by GNATS.
From: "Andrey V. Elsukov"
To: bug-follo...@freebsd.org, poo...@hotmail.com,
"Vladislav Yershov"
Cc:
Subject: Re: kern/148157: [ipfw] IPFW in kernel nat BUG found in FreeBSD
8.1-PRERELEASE
Date:
The following reply was made to PR kern/147720; it has been noted by GNATS.
From: "Andrey V. Elsukov"
To: bug-follo...@freebsd.org, dima_...@inbox.lv
Cc:
Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd
Date: Mon, 30 May 2011 15:37:52 +0400
Hi,
Can you test the follo
The following reply was made to PR kern/150798; it has been noted by GNATS.
From: "Andrey V. Elsukov"
To: bug-follo...@freebsd.org, a...@holymail.biz
Cc:
Subject: Re: kern/150798: [ipfw] ipfw2 fwd rule matches packets but does not
do the job in fact.
Date: Mon, 30 May 2011 15:37:16
The following reply was made to PR kern/147720; it has been noted by GNATS.
From: "Andrey V. Elsukov"
To: bug-follo...@freebsd.org, dima_...@inbox.lv
Cc:
Subject: Re: kern/147720: [ipfw] ipfw dynamic rules and fwd
Date: Sun, 29 May 2011 14:41:03 +0400
This is an OpenPGP/MIME sign
The following reply was made to PR bin/156653; it has been noted by GNATS.
From: "Andrey V. Elsukov"
To: bug-follo...@freebsd.org, jcl...@speakeasy.net
Cc:
Subject: Re: bin/156653: ipfw(8) reports missing file as parameter problem
Date: Mon, 02 May 2011 15:59:16 +0400
Hi,
I
nk it was merged to stable/8
with r211241.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
The following reply was made to PR kern/144869; it has been noted by GNATS.
From: "Andrey V. Elsukov"
To: Ildar Hizbulin
Cc: bug-follo...@freebsd.org, freebsd-ipfw@freebsd.org
Subject: Re: kern/144869: [ipfw] [panic] Instant kernel panic when adding
NAT rules using ipfw on em inter
s show all sets
enabled,
because IP_FW_GET command gets small buffer and after calculating wanted size
it returns back without copying anything.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listin
Paolo Pisati wrote:
>> add packet counter as well. That's all possible with one opcode,
though...
>
> if anyone post an updated patch, i'll commit it.
Hi, Paolo.
Any progress in this?
I updated patch:
http://butcher.heavennet.ru/patches/kernel/ipfw/ipfw_counterlimit.
rihad wrote:
ipfw add pipe tablearg ip from 'table(0)' to 'table(1)'
Which of the two tables will tablearg come from?
Last 'table' argument will be used for tablearg.
Any way to make the choice explicit?
Patches are welcome
a class of probabilistic hash which may return a false positive,
"bloomier" filters are a refinement which tries to limit the false
positives.
There were some ideas from Vadim Goncharov about rewriting dynamic
rules implementation..
--
WBR, Andrey V. Elsukov
nd de-allocated, or
is it a static memory buffer?
Each dynamic rule allocated dynamically. Be careful, too many dynamic
rules will work very slow.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/lis
reboots. Like in linux we do it in grub.conf
You can install grub on the FreeBSD too.
2) Can you also let me know the steps to add ipfw support in kernel?
Read the Handbook's article.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org ma
s.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
# ifpw -n nat 1 show
and probably others command which didn't use `test_only` flag.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
t my patch?
--
WBR, Andrey V. Elsukov
Index: src/sbin/ipfw/ipfw2.c
===
RCS file: /ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.118
diff -u -p -r1.118 ipfw2.c
--- src/sbin/ipfw/ipfw2.c 27 Feb 2008 13:52:33 - 1.118
++
AT Matik wrote:
jaaa well but that is the famous bw 0 example which is not valid, as by itself
certainly an invalid config, not connected to the existing problem the
reporter has I guess
bw 0 is valid example. It's default value. It means unlimited
bandwidth.
--
WBR, Andrey V. El
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pipe again and again. Check your rules.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
2 but ints
IP addresses (currently I'm overlaying it on 32 bit ints)
IPV6 addresses.
skipto locations
byte limits..
Yes, i agree. As I remember, we already talked about this
some time ago.
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org ma
to 64 bit.
2. dynamic rules: i think it should be implemented as extension
to current O_LIMIT opcode or something similar.
Also i have question about my current implementation. Does it
needed to have ability of "humanized" printing of limits, which
was implemented before?
--
WBR, Andrey V. Els
Marcelo Araujo wrote:
Yes, I've interest to work around this function, this work help me for
my degree project.
I think also this work is a good opportunity to work in SoC 2008.
I think this work is too easy for the SoC'08 :)
--
WBR, Andrey
.org/cgi/query-pr.cgi?pr=kern/103454
I added to CC several men who are active in ipfw area.
It will be interested what you think about this?
--
WBR, Andrey V. Elsukov
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/free
y the kernel itself. I _could_ work around the issue
by piping the "ipfw:" messages to /dev/null in syslogd, but there might
be a cleaner solution?
If you don't use `ipfw log ...` rules you can reset sysctl variable
net.inet.ip.fw.verbose to 0 and these messages will not be logged
1 - 100 of 147 matches
Mail list logo
