kern/147798: ipfw skipto skips over the complex rule

Dmitry Pryanishnikov lynx.ripe at gmail.com
Fri Jun 11 20:50:02 UTC 2010 

>Number:         147798
>Category:       kern
>Synopsis:       ipfw skipto skips over the complex rule
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 11 20:50:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Pryanishnikov
>Release:        RELENG_8
>Organization:
Home
>Environment:
FreeBSD lynx.homenet 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #0: Fri Jun 11 21:59:46 EEST 2010     dmitry at lynx.homenet:/databig/obj/databig/ftp/RELENG_8/src/sys/lynx  i386

>Description:
In the following pared-down ipfw ruleset (yes, it's complete):

25150  208 22046 skipto 25199 ip from any to any
30410    0     0 nat 1 ip from not 192.168.1.0/24 to not table(1) out via em0
30610    0     0 nat 1 ip from not table(1) to 192.168.1.2 in
65000  372 38232 allow ip from any to any
65535 1178 53032 deny ip from any to any

packets from 192.168.251.1 fail to match against the rule number 30410 (despite being directed to IP absent in table(1) via em0. IP-addresses 192.168.1.2 and 192.168.251.1 are local; nat 1 is configured as "nat 1 config ip 192.168.1.2", 
table 1 contains non-globally routable networks:

0.0.0.0/8 0
10.0.0.0/8 0
169.254.0.0/16 0
172.16.0.0/12 0
192.0.2.0/24 0
192.168.0.0/16 0
224.0.0.0/4 0
240.0.0.0/4 0

However, adding dummy 'count' rule between 'skipto' and 'nat' works around the problem:

25150  303 31614 skipto 25199 ip from any to any
26000   16  1268 count ip from any to any
30410    7   588 nat 1 ip from not 192.168.1.0/24 to not table(1) out via em0
30610    7   588 nat 1 ip from not table(1) to 192.168.1.2 in
65000  467 47800 allow ip from any to any
65535 1178 53032 deny ip from any to any


Note that simpicated forms of the rule 30410 (e.g. nat 1 ip from 192.168.251.1 to not table(1) out via em0) don't become skipped over - only form shown in the first ruleset does.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list