kern/129036: [ipfw] 'ipfw fwd' does not change outgoing interface name

[Eugene Grosbein]

>Number:         129036
>Category:       kern
>Synopsis:       [ipfw] 'ipfw fwd' does not change outgoing interface name
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Nov 21 05:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Eugene Grosbein
>Release:        FreeBSD 6.3-STABLE i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD eg.svzserv.kuzbass.ru 6.3-STABLE FreeBSD 6.3-STABLE #4: Fri Aug 15 14:42:33 KRAST 2008 eugen at eg.svzserv.kuzbass.ru:/usr/local/obj/usr/local/src/sys/EG i386

>Description:
	
	"ipfw fwd" rules commonly used to implement policy-based routing.
	Very often they are used to change outgoing interface for packet.
	For incoming packet, "ipfw fwd" changes next-hop but fails
	to change outgoing interface name if it changes with new next-hop
	assignment.

>How-To-Repeat:

	Assume a packet from 10.0.0.1 comes in via em0 and according to
	routing table should be forwarded via em1.
	When another router 192.168.0.1 is directly connected through em2:

	ipfw add 1000 fwd 192.168.0.1 ip from 10.0.0.0/8 to any in recv em0
	ipfw add 2000 divert 5000 ip from any to any out xmit em1

	Our packet is matched by rules 1000, so it's next-hop is changed
	to 192.168.0.1 and it will really go out em2. But at second
	ipwf rulest pass it is matched with rules 2000 to.
	That's really bad - packet is passed to userland application
	or netgraph mode listening on divert port 5000 but it must not.

>Fix:

	Unknown.
	With some care, ipfw ruleset may be changed to workaroung
	the problem but real fix is needed - kernel should correct
	name of ougoing interface for such cases so ipfw won't make mistakes.
>Release-Note:
>Audit-Trail:
>Unformatted: