[Bug 212595] ipfw can't enable or disable sets 5 to 30

Mon Sep 12 05:01:39 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=212595

            Bug ID: 212595
           Summary: ipfw can't enable or disable sets 5 to 30
           Product: Base System
           Version: 11.0-RC1
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: avernar at gmail.com

Using ipfw you can't enable or disable sets if any set 5 or higher are
specified:

  # ipfw set disable 1
  # ipfw set disable 2
  # ipfw set disable 3
  # ipfw set disable 4
  # ipfw set disable 5
  ipfw: set enable/disable: setsockopt(IP_FW_SET_ENABLE): Invalid argument
  # ipfw set disable 1 2 3
  # ipfw set disable 1 2 4
  # ipfw set disable 1 2 5
  ipfw: set enable/disable: setsockopt(IP_FW_SET_ENABLE): Invalid argument

The problem is in ip_fw_sockopt.c in the manage_sets function.  For
IP_FW_SET_ENABLE the rh->range.set and rh->range.new_set variables are bitmasks
and not a single set number.  This is because multiple sets can be disabled and
enabled with a single call.

The new check against IPFS_MAX_SETS in that function is triggered since if set
5 or higher is specified the value of those variables is 32 or higher.

For the IP_FW_SET_SWAP and IP_FW_SET_MOVE those two variables are indeed set
numbers so the check is valid.  The check should be moved inside the switch
just for those two cases.

-- 
You are receiving this mail because:
You are the assignee for the bug.