Is this a bug? ifname[wildcard] matches other interfaces?

Sten Daniel Sørsdal sten.daniel.sorsdal at wan.no
Mon Apr 5 06:50:02 PDT 2004 

Hi

I was led to belive that using ifname* (read: interface name + wildcard) would work.
Apparently the fxp* matches all, even the ones originating or destined to tunX.
A bug or did i misunderstand the man page?

In ip_fw2.c ~@388 i read the following, which i -belive- skips name comparison when 
matching interface, am i understanding the code correctly?
	...
        if (cmd->name[0] != '\0') { /* match by name */
                /* Check unit number (-1 is wildcard) */
                if (cmd->p.unit != -1 && cmd->p.unit != ifp->if_unit)
                        return(0);
                /* Check name */
                if (!strncmp(ifp->if_name, cmd->name, IFNAMSIZ))
                        return(1);
        } else {
	...

FreeBSD 4.9-RELEASE-p3 with IPFW2 as module, dummynet module loaded.

00200  796 233528 allow via lo0 // &! permit all via loopback interface
00201  159  13155 allow dst-port 53,22,80
00202    0      0 deny dst-port 135,137,138,139,445
00203 3897 293591 skipto 207 out // &! skip ahead for outgoing packets
00204 5565 405417 skipto 400 recv fxp* // &! received on main fxp*
00205    0      0 skipto 800 recv tun* // &! received on main tun*
00206    0      0 skipto 209 in // &! skip ahead for unhandled
00207 3897 293591 skipto 600 xmit fxp* // &! xmitted on main fxp*
00208    0      0 skipto 1000 xmit tun* // &! xmitted on main tun*
00209    0      0 allow // &! default for main main
00400 1733  89195 pipe 1000 { dst-port 1214,6699,5190,4661-4665,6345-6350 or src-port 1214,6699,5190,4661-4665,6345-6350 }
00401 3832 316222 allow // &! default for interfacegroup in_fxp
00600 1232 121000 deny not src-ip 80.x.x.0/24,80.x.x.0/29 out xmit fxp0
00601    0      0 pipe 1001 { dst-port 1214,6699,5190,4661-4665,6345-6350 or src-port 1214,6699,5190,4661-4665,6345-6350 }
00602    0      0 fwd 80.x.x.21 src-ip 80.x.x.22 out xmit fxp0
00603 2665 172591 allow // &! default for interfacegroup out_fxp
00800    0      0 pipe 2 recv tun0 // &! received on tun0
00801    0      0 pipe 3 recv tun1 // &! received on tun1
...
01000    0      0 pipe 103 xmit tun0 // &! transmitted on tun0
01001    0      0 pipe 104 xmit tun1 // &! transmitted on tun1
...


_// Sten Daniel Sørsdal

More information about the freebsd-ipfw mailing list