kern/148885: ipfw netgraph ignores net.inet.ip.fw.one_pass
Nickolay Dudorov
nnd at mail.nsk.ru
Sat Jul 24 03:20:05 UTC 2010
>Number: 148885
>Category: kern
>Synopsis: ipfw netgraph ignores net.inet.ip.fw.one_pass
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jul 24 03:20:04 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Nickolay Dudorov
>Release: 8.1-RELEASE
>Organization:
STE Infoteka
>Environment:
FreeBSD nnd.itfs.nsk.su 8.1-RELEASE FreeBSD 8.1-RELEASE #5: Thu Jul 22 20:51:35 NOVST 2010 root at nnd.itfs.nsk.su:/usr/obj/usr/src/sys/FINER8 amd64
>Description:
man ipfw says:
..
netgraph cookie
Divert packet into netgraph with given cookie. The search termi-
nates. If packet is later returned from netgraph it is either
accepted or continues with the next rule, depending on
net.inet.ip.fw.one_pass sysctl variable.
..
but after last massive changes in ipfw realisation (Mart 23 2010)
packets continues with the next rule independently of the net.inet.ip.fw.one_pass value.
The same holds for 'netgraph ngtee' rules.
Included patch correct the problem.
The problem stands in CURRENT, RELENG_8 and 8.1-RELEASE.
>How-To-Repeat:
On plain CURRENT or 8.1-RELEASE system with (say) em0 interface
do:
================================================================
kldload netgraph
kldload ng_ipfw
kldload ng_ip_input
ngctl << EOF
mkpeer ipfw: ip_input 100 in
EOF
ipfw add 100 netgraph 100 all from any to any in recv em0
ipfw add 200 count log all from any to any in recv em0
================================================================
and you can see that all packets go through 100 and 200 rules
independently of the net.inet.ip.fw.one_pass value.
>Fix:
Applay the patch included.
Patch attached with submission follows:
--- sys/netinet/ipfw/ip_fw2.c.orig 2010-07-24 09:25:28.000000000 +0700
+++ sys/netinet/ipfw/ip_fw2.c 2010-07-24 09:27:35.000000000 +0700
@@ -2084,6 +2084,8 @@
set_match(args, f_pos, chain);
args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ?
tablearg : cmd->arg1;
+ if (V_fw_one_pass)
+ args->rule.info |= IPFW_ONEPASS;
retval = (cmd->opcode == O_NETGRAPH) ?
IP_FW_NETGRAPH : IP_FW_NGTEE;
l = 0; /* exit inner loop */
--- sys/netgraph/ng_ipfw.c.orig 2010-07-24 09:24:51.000000000 +0700
+++ sys/netgraph/ng_ipfw.c 2010-07-24 09:23:54.000000000 +0700
@@ -287,7 +287,8 @@
}
r = (struct ipfw_rule_ref *)(tag + 1);
*r = fwa->rule;
- r->info = dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
+ r->info &= IPFW_ONEPASS; /* keep this info */
+ r->info |= dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
m_tag_prepend(m, tag);
} else
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list