kern/51132: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly

Eugene Grosbein eugen at grosbein.pp.ru
Fri Apr 18 10:10:15 PDT 2003


>Number:         51132
>Category:       kern
>Synopsis:       kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 18 10:10:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.8-RC i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD gw3.svzserv.kemerovo.su 4.8-RC FreeBSD 4.8-RC #0: Wed Apr 2 12:05:11 KRAST 2003 sa at gw3.svzserv.kemerovo.su:/home/obj/usr/src/sys/GW3 i386
	ipfw1

>Description:

	One of my routers has gif tunnel with another FreeBSD 4.8-RC system.
	The gif0 has 'inet 172.20.15.14' and works nice.
	The other side of the tunnel has 'inet 172.20.15.13'

	Now I'm trying to implement policy routing and direct
	all transit traffic coming from rl0 into the tunnel. So I use

	ipfw add 2000 fwd 172.20.15.13 ip from any to not me via rl0 in.

	It does NOT match any packet while 'to any via rl0 in' does.
	The workaround is to avoid using 'to not me' here.

	Let's see ipfw show and look at bad things:

01990     20      940 deny ip from any to me
01993      0        0 count ip from any to me in recv rl0
01995      0        0 fwd 172.20.15.13 ip from any to not me in recv rl0
02000 109658  5813420 fwd 172.20.15.13 ip from any to any in recv rl0
65000 295571 40747130 allow ip from any to any

	The rule 1990 blocks 'to me' packets via rl0.

	The rule 1995 is the one that should match other packets,
	it does not. The rule 2000 is here as workaround.

>How-To-Repeat:

	See above.

>Fix:

	Unknown to me.
	The workaroung is not to use 'to not me' in such cases.

Eugene Grosbein

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list