From pepper@reppep.com  Sun Oct 20 12:17:02 2002
Return-Path: <pepper@reppep.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id ADAC137B401; Sun, 20 Oct 2002 12:17:02 -0700 (PDT)
Received: from www.reppep.com (www.reppep.com [66.92.104.200])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4D03043E7B; Sun, 20 Oct 2002 12:16:58 -0700 (PDT)
	(envelope-from pepper@reppep.com)
Received: by www.reppep.com (Postfix, from userid 501)
	id 4DF27AA8B; Sun, 20 Oct 2002 15:18:41 -0400 (EDT)
Message-Id: <20021020191841.4DF27AA8B@www.reppep.com>
Date: Sun, 20 Oct 2002 15:18:41 -0400 (EDT)
From: Chris Pepper <pepper@rockefeller.edu>
Reply-To: Chris Pepper <pepper@rockefeller.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Luigi Rizzo <luigi@FreeBSD.org>
Subject: IPFW2 broken in recent 4.7-STABLE??
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         44311
>Category:       kern
>Synopsis:       IPFW2 broken in recent 4.7-STABLE??
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Oct 20 12:20:01 PDT 2002
>Closed-Date:    Sun Oct 27 16:48:57 PST 2002
>Last-Modified:  Sun Oct 27 16:48:57 PST 2002
>Originator:     Chris Pepper
>Release:        FreeBSD 4.7-STABLE i386
>Organization:
>Environment:
System: FreeBSD www.reppep.com 4.7-STABLE FreeBSD 4.7-STABLE #4: Sun Oct 20 01:54:39 EDT 2002 root@www.reppep.com:/usr/obj/usr/src/sys/GENERIC i386


	
>Description:
	Last night I enabled IPFW in /etc/rc.conf with the "open" ruleset. Traffic was flowing, and "ipfw -atNde l" showed the expected 5 rules. Here are my entries from rc.conf:

firewall_enable="YES"		# Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the firewall
firewall_type="open"		# Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"		# Set to YES to suppress rule display
firewall_logging="YES"		# Set to YES to enable events logging
firewall_flags=""		# Flags passed to ipfw when type is a file

	Half an hour ago, I added IPFW2=TRUE to /etc/make.conf and rebuild my kernel from a cvsup this morning, and IPFW stopped passing traffic (no access in or out of the box, Samba and other daemons started reporting permission denied errors). "ipfw -atNde l" returned the following (repeating over 100mb without line breaks, before I gave up and stopped it):

[www:~] root# more ipfw-atNde-l.txt 
00141 38749194944512          0                           ip from any to any [op
code 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0
] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 
len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opco
de 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] 
[opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 le
n 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode 0 len 0] [opcode

	firewall_enable="NO" in /etc/rc.conf restored connectivity, but I would like to get IPFW2 working so I can use OR rules.
	
>How-To-Repeat:
	Rebuild current 4.7-STABLE with IPFW2=TRUE in /etc/make.conf; enable IPFW with "open" type firewall in /etc/rc.conf. Attempt to pass traffic or open listeners.
	
>Fix:

>Release-Note:
>Audit-Trail:

From: Chris Pepper <pepper@reppep.com>
To: Luigi Rizzo <luigi@freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org, tom@FreeBSD.org
Subject: Re: kern/44311 IPFW2 broken in recent 4.7-STABLE??
Date: Sun, 20 Oct 2002 17:14:03 -0400

 	Ah, then this is a bug against the man page, which provides 
 instructions for getting IPFW2 in STABLE without mentioning the 
 kernel change:
 
 >      ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses
 >      ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw
 >      and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the
 >      same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before
 >      a buildworld).
 
 	I will back off to IPFW1 for now if 
 src/sys/modules/ipfw/Makefile isn't going to be able to build IPFW2 
 with STABLE GENERIC -- I prefer to stick with GENERIC and modules.
 
 
 						Thanks,
 
 
 						Chris Pepper
 
 At 1:51 PM -0700 2002/10/20, Luigi Rizzo wrote:
 >On Sun, Oct 20, 2002 at 04:34:02PM -0400, Chris Pepper wrote:
 >>  At 12:26 PM -0700 2002/10/20, Luigi Rizzo wrote:
 >>  >you have a mismatch between kernel and userland. Probably an
 >>  >ipfw2 in userland and still ipfw1 in the kernel.
 >>
 >>	Strange. I just rebuild kernel & world and get the same
 >>  problem. Is there anything more than "IPFW2=TRUE" in /etc/make.conf
 >>  that controls 1 vs. 2? How can I check the installed versions of both
 >>  parts? I don't see anything useful with "strings /modules/ipfw.ko".
 >
 >you need
 >
 >	options	IPFW2
 >
 >in your kernel config. I believe the module's Makefile does not have
 >the correct option to build an ipfw2 module
 
 -- 
 Chris Pepper:               <http://www.reppep.com/~pepper/>
 Rockefeller University:     <http://www.rockefeller.edu/>

From: Luigi Rizzo <luigi@freebsd.org>
To: Chris Pepper <pepper@reppep.com>
Cc: FreeBSD-gnats-submit@freebsd.org, tom@freebsd.org
Subject: Re: kern/44311 IPFW2 broken in recent 4.7-STABLE??
Date: Sun, 20 Oct 2002 14:19:51 -0700

 On Sun, Oct 20, 2002 at 05:14:03PM -0400, Chris Pepper wrote:
 > 	Ah, then this is a bug against the man page, which provides 
 > instructions for getting IPFW2 in STABLE without mentioning the 
 > kernel change:
 > 
 > >      ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD STABLE still uses
 > >      ipfw1 unless the kernel is compiled with options IPFW2, and /sbin/ipfw
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 it does mention the kernel change.
 
 	cheers
 	luigi
 
 > >      and /usr/lib/libalias are recompiled with -DIPFW2 and reinstalled (the
 > >      same effect can be achieved by adding IPFW2=TRUE to /etc/make.conf before
 > >      a buildworld).
 > 
 > 	I will back off to IPFW1 for now if 
 > src/sys/modules/ipfw/Makefile isn't going to be able to build IPFW2 
 > with STABLE GENERIC -- I prefer to stick with GENERIC and modules.

From: Chris Pepper <pepper@reppep.com>
To: Luigi Rizzo <luigi@freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org, tom@freebsd.org
Subject: Re: kern/44311 IPFW2 broken in recent 4.7-STABLE??
Date: Sun, 20 Oct 2002 17:28:34 -0400

 At 2:19 PM -0700 2002/10/20, Luigi Rizzo wrote:
 >On Sun, Oct 20, 2002 at 05:14:03PM -0400, Chris Pepper wrote:
 >>	Ah, then this is a bug against the man page, which provides
 >>  instructions for getting IPFW2 in STABLE without mentioning the
 >>  kernel change:
 >>
 >>  >      ipfw2 is standard in FreeBSD CURRENT, whereas FreeBSD 
 >>STABLE still uses
 >>  >      ipfw1 unless the kernel is compiled with options IPFW2, and 
 >>/sbin/ipfw
 >                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 >
 >it does mention the kernel change.
 
 	But the wording is unclear -- I thought IPFW2=TRUE made all 
 necessary changes, including the kernel change, and I've read that 
 para multiple times.
 
 
 						Chris Pepper
 
 >	cheers
 >	luigi
 >
 >>  >      and /usr/lib/libalias are recompiled with -DIPFW2 and 
 >>reinstalled (the
 >>  >      same effect can be achieved by adding IPFW2=TRUE to 
 >>/etc/make.conf before
 >>  >      a buildworld).
 >>
 >>	I will back off to IPFW1 for now if
 >>  src/sys/modules/ipfw/Makefile isn't going to be able to build IPFW2
 >>  with STABLE GENERIC -- I prefer to stick with GENERIC and modules.
 
 
 -- 
 Chris Pepper:               <http://www.reppep.com/~pepper/>
 Rockefeller University:     <http://www.rockefeller.edu/>

From: Chris Pepper <pepper@reppep.com>
To: freebsd-gnats-submit@FreeBSD.org, pepper@rockefeller.edu
Cc:  
Subject: Re: kern/44311: IPFW2 broken in recent 4.7-STABLE??
Date: Sun, 27 Oct 2002 14:11:50 -0500

 	Please close. This is a doc issue, which I will open another 
 PR for (with patch).
 
 
 						Thx,
 
 
 						Chris Pepper
 -- 
 Chris Pepper:               <http://www.reppep.com/~pepper/>
 Rockefeller University:     <http://www.rockefeller.edu/>
State-Changed-From-To: open->closed 
State-Changed-By: ceri 
State-Changed-When: Sun Oct 27 16:48:22 PST 2002 
State-Changed-Why:  
Closed at submitter's request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=44311 
>Unformatted:
 	
