From nobody@FreeBSD.org  Mon Mar 17 16:30:06 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id DDF03DB1
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Mar 2014 16:30:06 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id CB2DA9C9
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Mar 2014 16:30:06 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s2HGU6uS000785
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 17 Mar 2014 16:30:06 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s2HGU64r000780;
	Mon, 17 Mar 2014 16:30:06 GMT
	(envelope-from nobody)
Message-Id: <201403171630.s2HGU64r000780@cgiserv.freebsd.org>
Date: Mon, 17 Mar 2014 16:30:06 GMT
From: wishmaster <artemrts@ukr.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: unable to disable IPFW with VIMAGE
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         187665
>Category:       misc
>Synopsis:       unable to disable IPFW with VIMAGE
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 17 16:40:01 UTC 2014
>Closed-Date:    Mon Mar 24 10:19:41 UTC 2014
>Last-Modified:  Mon Mar 24 10:20:01 UTC 2014
>Originator:     wishmaster
>Release:        10.0-STABLE
>Organization:
IT Service
>Environment:
FreeBSD sms 10.0-STABLE FreeBSD 10.0-STABLE #4 r263247: Mon Mar 17 17:11:20 EET 2014     wishmaster@sms:/usr/obj/usr/src/sys/SMS  i386

>Description:
System with 10.0-STABLE. I use Jail with VIMAGE support and I am unable to disable IPFW in Jail via sysctl net.inet.ip.fw.enable=0 because this sysctl is absent in jail host (and in base host too).

# sysctl net.inet.ip.fw
net.inet.ip.fw.one_pass: 0
net.inet.ip.fw.autoinc_step: 100
net.inet.ip.fw.verbose: 0
net.inet.ip.fw.verbose_limit: 0
net.inet.ip.fw.default_rule: 65535
net.inet.ip.fw.tables_max: 128
net.inet.ip.fw.default_to_accept: 1
net.inet.ip.fw.static_count: 134
net.inet.ip.fw.dyn_buckets: 256
net.inet.ip.fw.curr_dyn_buckets: 256
net.inet.ip.fw.dyn_count: 19
net.inet.ip.fw.dyn_max: 16384
net.inet.ip.fw.dyn_ack_lifetime: 3600
net.inet.ip.fw.dyn_syn_lifetime: 20
net.inet.ip.fw.dyn_fin_lifetime: 1
net.inet.ip.fw.dyn_rst_lifetime: 1
net.inet.ip.fw.dyn_udp_lifetime: 20
net.inet.ip.fw.dyn_short_lifetime: 10
net.inet.ip.fw.dyn_keepalive: 1

This problem occures both when IPFW as module and compilled in kernel.

Another host

FreeBSD db 10.0-PRERELEASE FreeBSD 10.0-PRERELEASE #0 r260982: W                                              ed Jan 22 00:54:30 EET 2014     wishmaster@db:/usr/obj/usr/src/s                                              ys/MY_10  i386

without this problem.

>How-To-Repeat:
Install BreeBSD 10 STABLE at least revision 263247.

>Fix:
Don't know...

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Fri Mar 21 08:28:12 UTC 2014 
Responsible-Changed-Why:  
Take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=187665 

From: "Andrey V. Elsukov" <ae@FreeBSD.org>
To: bug-followup@FreeBSD.org, artemrts@ukr.net
Cc:  
Subject: Re: misc/187665: unable to disable IPFW with VIMAGE
Date: Fri, 21 Mar 2014 12:25:33 +0400

 Hello,
 
 please, check the securelevel in your jail. What value does it have?
 
 -- 
 WBR, Andrey V. Elsukov

From: wishmaster <artemrts@ukr.net>
To: "Andrey V. Elsukov" <ae@freebsd.org>
Cc: bug-followup@freebsd.org, freebsd-virtualization@freebsd.org
Subject: Re[2]: misc/187665: unable to disable IPFW with VIMAGE
Date: Fri, 21 Mar 2014 10:45:51 +0200

  
  --- Original message ---
  From: "Andrey V. Elsukov" <ae@freebsd.org>
  Date: 21 March 2014, 10:26:23
   
 
 
 > Hello,
 > 
 > please, check the securelevel in your jail. What value does it have?
 > 
   I use securelevel 2 (in jail only. In host - default), but securelevel does not impact to net.inet.ip.fw.enable at all, because this OID is absent in base system too.
 This happens only if options VIMAGE present in kernel!
 
 Cheers,
 Vitaliy

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: wishmaster <artemrts@ukr.net>, ae@FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: kern/187665
Date: Fri, 21 Mar 2014 18:20:58 +0400

 --hYooF8G/hrfVAmum
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
   Hi!
 
   Looks like my failure.
 
   Can you please try out this patch?
 
 -- 
 Totus tuus, Glebius.
 
 --hYooF8G/hrfVAmum
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="187665.diff"
 
 Index: sys/netpfil/ipfw/ip_fw_pfil.c
 ===================================================================
 --- sys/netpfil/ipfw/ip_fw_pfil.c	(revision 263343)
 +++ sys/netpfil/ipfw/ip_fw_pfil.c	(working copy)
 @@ -536,30 +536,21 @@ ipfw_attach_hooks(int arg)
  int
  ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
  {
 -	int *enable;
  	int newval;
  	int error;
  	int af;
  
 -	if (arg1 == &VNET_NAME(fw_enable)) {
 -		enable = &V_fw_enable;
 +	if (arg1 == &V_fw_enable)
  		af = AF_INET;
 -	}
  #ifdef INET6
 -	else if (arg1 == &VNET_NAME(fw6_enable)) {
 -		enable = &V_fw6_enable;
 +	else if (arg1 == &V_fw6_enable)
  		af = AF_INET6;
 -	}
  #endif
 -	else if (arg1 == &VNET_NAME(fwlink_enable)) {
 -		enable = &V_fwlink_enable;
 +	else if (arg1 == &V_fwlink_enable)
  		af = AF_LINK;
 -	}
  	else 
  		return (EINVAL);
  
 -	newval = *enable;
 -
  	/* Handle sysctl change */
  	error = sysctl_handle_int(oidp, &newval, 0, req);
  
 @@ -569,13 +560,13 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
  	/* Formalize new value */
  	newval = (newval) ? 1 : 0;
  
 -	if (*enable == newval)
 +	if (*(int *)arg1 == newval)
  		return (0);
  
  	error = ipfw_hook(newval, af);
  	if (error)
  		return (error);
 -	*enable = newval;
 +	*(int *)arg1 = newval;
  
  	return (0);
  }
 
 --hYooF8G/hrfVAmum--

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: wishmaster <artemrts@ukr.net>, ae@FreeBSD.org
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/187665
Date: Fri, 21 Mar 2014 18:42:10 +0400

 --g7w8+K/95kPelPD2
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Fri, Mar 21, 2014 at 06:20:58PM +0400, Gleb Smirnoff wrote:
 T>   Hi!
 T> 
 T>   Looks like my failure.
 T> 
 T>   Can you please try out this patch?
 
 Better this patch.
 
 -- 
 Totus tuus, Glebius.
 
 --g7w8+K/95kPelPD2
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="187665.diff"
 
 Index: sys/netpfil/ipfw/ip_fw_pfil.c
 ===================================================================
 --- sys/netpfil/ipfw/ip_fw_pfil.c	(revision 263343)
 +++ sys/netpfil/ipfw/ip_fw_pfil.c	(working copy)
 @@ -536,30 +536,22 @@ ipfw_attach_hooks(int arg)
  int
  ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
  {
 -	int *enable;
  	int newval;
  	int error;
  	int af;
  
 -	if (arg1 == &VNET_NAME(fw_enable)) {
 -		enable = &V_fw_enable;
 +	if (arg1 == &V_fw_enable)
  		af = AF_INET;
 -	}
  #ifdef INET6
 -	else if (arg1 == &VNET_NAME(fw6_enable)) {
 -		enable = &V_fw6_enable;
 +	else if (arg1 == &V_fw6_enable)
  		af = AF_INET6;
 -	}
  #endif
 -	else if (arg1 == &VNET_NAME(fwlink_enable)) {
 -		enable = &V_fwlink_enable;
 +	else if (arg1 == &V_fwlink_enable)
  		af = AF_LINK;
 -	}
  	else 
  		return (EINVAL);
  
 -	newval = *enable;
 -
 +	newval = *(int *)arg1;
  	/* Handle sysctl change */
  	error = sysctl_handle_int(oidp, &newval, 0, req);
  
 @@ -569,13 +561,13 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
  	/* Formalize new value */
  	newval = (newval) ? 1 : 0;
  
 -	if (*enable == newval)
 +	if (*(int *)arg1 == newval)
  		return (0);
  
  	error = ipfw_hook(newval, af);
  	if (error)
  		return (error);
 -	*enable = newval;
 +	*(int *)arg1 = newval;
  
  	return (0);
  }
 
 --g7w8+K/95kPelPD2--
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Fri Mar 21 17:07:37 UTC 2014 
State-Changed-Why:  
Fixed in head. 


Responsible-Changed-From-To: ae->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Fri Mar 21 17:07:37 UTC 2014 
Responsible-Changed-Why:  
Fixed in head. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=187665 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/187665: commit references a PR
Date: Fri, 21 Mar 2014 17:07:21 +0000 (UTC)

 Author: glebius
 Date: Fri Mar 21 17:07:18 2014
 New Revision: 263497
 URL: http://svnweb.freebsd.org/changeset/base/263497
 
 Log:
   Fix breakage in ipfw+VIMAGE after r261590.
   
   PR:		kern/187665
   Sponsored by:	Nginx, Inc.
 
 Modified:
   head/sys/netpfil/ipfw/ip_fw_pfil.c
 
 Modified: head/sys/netpfil/ipfw/ip_fw_pfil.c
 ==============================================================================
 --- head/sys/netpfil/ipfw/ip_fw_pfil.c	Fri Mar 21 16:57:34 2014	(r263496)
 +++ head/sys/netpfil/ipfw/ip_fw_pfil.c	Fri Mar 21 17:07:18 2014	(r263497)
 @@ -536,30 +536,22 @@ ipfw_attach_hooks(int arg)
  int
  ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
  {
 -	int *enable;
  	int newval;
  	int error;
  	int af;
  
 -	if (arg1 == &VNET_NAME(fw_enable)) {
 -		enable = &V_fw_enable;
 +	if (arg1 == &V_fw_enable)
  		af = AF_INET;
 -	}
  #ifdef INET6
 -	else if (arg1 == &VNET_NAME(fw6_enable)) {
 -		enable = &V_fw6_enable;
 +	else if (arg1 == &V_fw6_enable)
  		af = AF_INET6;
 -	}
  #endif
 -	else if (arg1 == &VNET_NAME(fwlink_enable)) {
 -		enable = &V_fwlink_enable;
 +	else if (arg1 == &V_fwlink_enable)
  		af = AF_LINK;
 -	}
  	else 
  		return (EINVAL);
  
 -	newval = *enable;
 -
 +	newval = *(int *)arg1;
  	/* Handle sysctl change */
  	error = sysctl_handle_int(oidp, &newval, 0, req);
  
 @@ -569,13 +561,13 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
  	/* Formalize new value */
  	newval = (newval) ? 1 : 0;
  
 -	if (*enable == newval)
 +	if (*(int *)arg1 == newval)
  		return (0);
  
  	error = ipfw_hook(newval, af);
  	if (error)
  		return (error);
 -	*enable = newval;
 +	*(int *)arg1 = newval;
  
  	return (0);
  }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Mon Mar 24 10:19:21 UTC 2014 
State-Changed-Why:  
Fix merged to stable/10. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=187665 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/187665: commit references a PR
Date: Mon, 24 Mar 2014 10:19:28 +0000 (UTC)

 Author: glebius
 Date: Mon Mar 24 10:19:07 2014
 New Revision: 263680
 URL: http://svnweb.freebsd.org/changeset/base/263680
 
 Log:
   Merge r263497: fix ipfw + VIMAGE sysctls.
   
   PR:		kern/187665
 
 Modified:
   stable/10/sys/netpfil/ipfw/ip_fw_pfil.c
 Directory Properties:
   stable/10/   (props changed)
 
 Modified: stable/10/sys/netpfil/ipfw/ip_fw_pfil.c
 ==============================================================================
 --- stable/10/sys/netpfil/ipfw/ip_fw_pfil.c	Mon Mar 24 08:24:32 2014	(r263679)
 +++ stable/10/sys/netpfil/ipfw/ip_fw_pfil.c	Mon Mar 24 10:19:07 2014	(r263680)
 @@ -536,30 +536,22 @@ ipfw_attach_hooks(int arg)
  int
  ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
  {
 -	int *enable;
  	int newval;
  	int error;
  	int af;
  
 -	if (arg1 == &VNET_NAME(fw_enable)) {
 -		enable = &V_fw_enable;
 +	if (arg1 == &V_fw_enable)
  		af = AF_INET;
 -	}
  #ifdef INET6
 -	else if (arg1 == &VNET_NAME(fw6_enable)) {
 -		enable = &V_fw6_enable;
 +	else if (arg1 == &V_fw6_enable)
  		af = AF_INET6;
 -	}
  #endif
 -	else if (arg1 == &VNET_NAME(fwlink_enable)) {
 -		enable = &V_fwlink_enable;
 +	else if (arg1 == &V_fwlink_enable)
  		af = AF_LINK;
 -	}
  	else 
  		return (EINVAL);
  
 -	newval = *enable;
 -
 +	newval = *(int *)arg1;
  	/* Handle sysctl change */
  	error = sysctl_handle_int(oidp, &newval, 0, req);
  
 @@ -569,13 +561,13 @@ ipfw_chg_hook(SYSCTL_HANDLER_ARGS)
  	/* Formalize new value */
  	newval = (newval) ? 1 : 0;
  
 -	if (*enable == newval)
 +	if (*(int *)arg1 == newval)
  		return (0);
  
  	error = ipfw_hook(newval, af);
  	if (error)
  		return (error);
 -	*enable = newval;
 +	*(int *)arg1 = newval;
  
  	return (0);
  }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
