bin/112244: [patch][ipfw] Incorrect output of rule with the MAC option

Andrey V. Elsukov bu7cher at yandex.ru
Sun Apr 29 16:10:02 UTC 2007


>Number:         112244
>Category:       bin
>Synopsis:       [patch][ipfw] Incorrect output of rule with the MAC option
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 29 16:10:01 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Andrey V. Elsukov
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD btr-nb.properlan.net 7.0-CURRENT FreeBSD 7.0-CURRENT #11: Sat Apr 21 18:17:26 MSD 2007 root at btr-nb.properlan.net:/usr/obj/usr/src/sys/BTR i386

>Description:
        The ipfw(8) show incorrect rule in some cases when used the MAC option.
        An example:
        > sudo ipfw add 100 count icmp from any to any MAC any any
        00100 count icmp MAC any any any

        "count icmp MAC any any any" is not the same that "count icmp from any to any MAC any any"
>How-To-Repeat:
        > sudo ipfw add 100 count icmp from any to any MAC any any
        00100 count icmp MAC any any any
>Fix:

	

--- ipfw2.c.diff begins here ---
--- src/sbin/ipfw/ipfw2.c	Sun Jan  7 06:02:02 2007
+++ src/sbin/ipfw/ipfw2.c	Mon Apr 16 22:07:01 2007
@@ -1400,10 +1400,8 @@
 #define	HAVE_PROTO	0x0001
 #define	HAVE_SRCIP	0x0002
 #define	HAVE_DSTIP	0x0004
-#define	HAVE_MAC	0x0008
-#define	HAVE_MACTYPE	0x0010
-#define	HAVE_PROTO4	0x0040
-#define	HAVE_PROTO6	0x0080
+#define	HAVE_PROTO4	0x0008
+#define	HAVE_PROTO6	0x0010
 #define	HAVE_OPTIONS	0x8000
 
 #define	HAVE_IP		(HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP)
@@ -1415,16 +1413,6 @@
 	if ( (*flags & HAVE_IP) == HAVE_IP)
 		*flags |= HAVE_OPTIONS;
 
-	if ( (*flags & (HAVE_MAC|HAVE_MACTYPE|HAVE_OPTIONS)) == HAVE_MAC &&
-	     cmd != O_MAC_TYPE) {
-		/*
-		 * mac-type was optimized out by the compiler,
-		 * restore it
-		 */
-		printf(" any");
-		*flags |= HAVE_MACTYPE | HAVE_OPTIONS;
-		return;
-	}
 	if ( !(*flags & HAVE_OPTIONS)) {
 		if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO))
 			if ( (*flags & HAVE_PROTO4))
@@ -1680,28 +1668,6 @@
 		case O_PROBE_STATE:
 			break; /* no need to print anything here */
 
-		case O_MACADDR2: {
-			ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
-
-			if ((cmd->len & F_OR) && !or_block)
-				printf(" {");
-			if (cmd->len & F_NOT)
-				printf(" not");
-			printf(" MAC");
-			flags |= HAVE_MAC;
-			print_mac(m->addr, m->mask);
-			print_mac(m->addr + 6, m->mask + 6);
-			}
-			break;
-
-		case O_MAC_TYPE:
-			if ((cmd->len & F_OR) && !or_block)
-				printf(" {");
-			print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE,
-				(flags & HAVE_OPTIONS) ? cmd->opcode : 0);
-			flags |= HAVE_MAC | HAVE_MACTYPE | HAVE_OPTIONS;
-			break;
-
 		case O_IP_SRC:
 		case O_IP_SRC_LOOKUP:
 		case O_IP_SRC_MASK:
@@ -1809,6 +1775,21 @@
 			if (cmd->len & F_NOT && cmd->opcode != O_IN)
 				printf(" not");
 			switch(cmd->opcode) {
+			case O_MACADDR2: {
+				ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
+
+				printf(" MAC");
+				print_mac(m->addr, m->mask);
+				print_mac(m->addr + 6, m->mask + 6);
+				}
+				break;
+
+			case O_MAC_TYPE:
+				print_newports((ipfw_insn_u16 *)cmd,
+						IPPROTO_ETHERTYPE, cmd->opcode);
+				break;
+
+
 			case O_FRAG:
 				printf(" frag");
 				break;
--- ipfw2.c.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list