ipfw1
Luigi Rizzo
rizzo at icir.org
Mon Apr 21 06:43:05 PDT 2003
indeed, it looks like there is/has never been support in RELENG_4's ip_fw.c
for "not me" -- the section of code below should change like this
(untested -- check the polarity of the test):
if (f->fw_flg & IP_FW_F_SME) {
INADDR_TO_IFP(src_ip, tif);
- if (tif == NULL)
+ if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVSRC) != 0))
continue;
}
if (f->fw_flg & IP_FW_F_DME) {
INADDR_TO_IFP(dst_ip, tif);
- if (tif == NULL)
+ if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVDST) != 0))
continue;
}
ipfw2 does support this.
On Mon, Apr 21, 2003 at 01:38:44PM +0800, Eugene Grosbein wrote:
> Hi!
>
> May somebody look at http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/51132 ?
> It looks like ipfw1 has serious bug in the ruleset processing.
on a side note, i would have been more specific and said "ipfw1 has
a serious bug in processing "not me" rules.
Granted, your way of stating the problem attracted my attention for
this time, but next time i might well think "ok it might be something
minor..." :)
cheers
luigi
> Eugene Grosbein
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
More information about the freebsd-net
mailing list