kern/123358: [ipfw] ipfw add 1000 allow IP from any to any
doesn't work
Andrey V. Elsukov
bu7cher at yandex.ru
Sun May 4 04:50:03 UTC 2008
The following reply was made to PR kern/123358; it has been noted by GNATS.
From: "Andrey V. Elsukov" <bu7cher at yandex.ru>
To: Edwin Groothuis <edwin at mavetju.org>
Cc: FreeBSD-gnats-submit at FreeBSD.org,
Julian Elischer <julian at elischer.org>
Subject: Re: kern/123358: [ipfw] ipfw add 1000 allow IP from any to any doesn't
work
Date: Sun, 04 May 2008 08:39:57 +0400
Edwin Groothuis wrote:
> Loading an ipfw rule with "IP" instead of "ip" will enter the rule
> properly in the list, but it never gets matched.
>
>> How-To-Repeat:
>
> [/home/edwin] root at k7>ipfw add 100 allow IP from any to any
> 00100 allow ip from any to any
> [/home/edwin] root at k7>ipfw add 100 allow ip from any to any
> 00100 allow ip from any to any
>
> [/home/edwin] root at k7>ipfw -a list
> 00100 0 0 allow ip from any to any
> 00100 922 168617 allow ip from any to any
> 65535 182 20023 deny ip from any to any
>
> The first entry should be increasing, not the second.
Yes. When you are using "ip" or "all" as protocol, then
ipfw(8) doesn't make internal opcode and ipfw(9) matches
any packets. When you are using "IP" (parser is case sensitive),
then ipfw(8) makes a O_PROTO opcode and ipfw(9) matches it
with layer3 protocol number.
I don't know what is the best way to fix this problem.
I see three ways:
1. Don't do anything.
2. Make manual better (sorry, i'm not native english
speaker, so i can't).
3. Add quirk to ipfw(8) ti add_proto0 function, something
similar:
--- src/sbin/ipfw/ipfw2.c 27 Feb 2008 13:52:33 -0000 1.118
+++ src/sbin/ipfw/ipfw2.c 4 May 2008 04:38:24 -0000
@@ -4580,6 +4580,11 @@ add_proto0(ipfw_insn *cmd, char *av, u_c
if (*ep != '\0' || proto <= 0) {
if ((pe = getprotobyname(av)) == NULL)
return NULL;
+
+ /* Is it an IP proto? */
+ if (pr->p_proto == 0)
+ return (0);
+
proto = pe->p_proto;
}
--
WBR, Andrey V. Elsukov
More information about the freebsd-bugs
mailing list