"or" blocks in IPFW2

[Oliver Fromme]

Hi,

I'm using IPFW2 on FreeBSD 4-stable (only a few days old).
This is a small router with multiple interfaces.  I would
like to write a rule that matches packets that enter the
router on fxp0 _or_ leave it on fxp0.

My first idea was to simply use "via fxp0", but that would
also match routed packets that leave the system on some
other interface (and have entered the system on fxp0 pre-
viously).  This is not what I want.

My next idea was to use "or" blocks, according to the ipfw
manpage, to combine "in recv fxp0" with "out xmit fxp0".
However, when I enter the command, the parser of ipfw(8)
seems to move the braces to different locations:

# ipfw add allow tcp from any to any \{ in recv fxp0 or out xmit fxp0 \}
04400 allow tcp from any to any in { recv fxp0 or out } xmit fxp0

Of course, now the rule does something completely different
which doesn't even make any sense.  Most confusingly, I
don't get an error message or even a warning from the parser.

Is this a bug in ipfw, or a bug in the manpage, or do I
just misunderstand things?  Do I have to write two separate
rules?

Thanks in advance!

Best regards
   Oliver

-- 
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"Unix gives you just enough rope to hang yourself --
and then a couple of more feet, just to be sure."
        -- Eric Allman