Another bug in IPFW@ ...?

Luigi Rizzo rizzo at icir.org
Tue Aug 2 21:32:16 GMT 2005 

ok, so the problem is the following: when i implemented ipfw2
i thought that 'recv any' or 'xmit any' were effectively NOPs
so the parser erroneously removes them, together with any 'not' prefix
(which is processed before).

To fix this one should
- patch the function ipfw2.c:fill_iface()
  so that an argument of 'any' puts some special pattern
  in the ipfw_insn_if (e.g. an * in the first char of name[]
  should suffice as i doubt it is a legal interface name).

        cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
 
        /* Parse the interface or address */
        if (!strcmp(arg, "any"))
-               cmd->o.len = 0;         /* effectively ignore this command */
+               cmd->name[0] = '*';	/* any interface */
        else if (!isdigit(*arg)) {

- patch the O_XMIT... case in ipfw2.c:show_ipfw() to print
  the special value above as 'any';

                                else /* if (cmd->opcode == O_VIA) */
                                        s = "via";
                                if (cmdif->name[0] == '\0')
                                        printf(" %s %s", s,
                                            inet_ntoa(cmdif->p.ip));
+                               else if (cmdif->name[0] == '*')
+					printf(" %s any", s);
                                else if (cmdif->p.unit == -1)
                                        printf(" %s %s*", s, cmdif->name);

- patch sys/netinet/ip_fw2.c:iface_match() so that a '*'
  in the first char of name[] and a non-null ifp returns 1;

        if (ifp == NULL)        /* no iface with this packet, match fails */
                return 0;
        /* Check by name or by IP address */
        if (cmd->name[0] != '\0') { /* match by name */
+		if (cmd->name[0] == '*')
+			return 1;
                /* Check unit number (-1 is wildcard) */
                if (cmd->p.unit != -1 && cmd->p.unit != ifp->if_unit)
                        return(0);

if you want to try, this should be all

cheers
luigi

On Tue, Aug 02, 2005 at 07:46:06PM +0200, Oliver Fromme wrote:
> vladone <vladone at spaingsm.com> wrote:
>  > Please, explain more clearly, what u want to do?
> 
> What exactly was unclear in my description?
> 
>  > P.S. looks very strange "out not recv any xmit"
> 
> It's perfectly valid syntax according to ipfw(8).
> 
> "out not recv any xmit dc0" consists of three options
> (i.e. match patterns):
> 
> 1. "out" --> match only outgoing packets.
> 
> 2. "not recv any" --> match packets that haven't been
>    received through any interface (i.e. which originate
>    from the local host).  It's simply a negation of
>    "recv any", see the ipfw(8) manpage.
> 
> 3. "xmit dc0" --> match packets which are going to be
>    transmitted through the dc0 interface.
> 
> However, the problem is that the second option is being
> ignored, and I would like to know why, and how to work-
> around the bug.
> 
> Best regards
>    Oliver
> 
> -- 
> Oliver Fromme,  secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing
> Any opinions expressed in this message may be personal to the author
> and may not necessarily reflect the opinions of secnetix in any way.
> 
> (On the statement print "42 monkeys" + "1 snake":)  By the way,
> both perl and Python get this wrong.  Perl gives 43 and Python
> gives "42 monkeys1 snake", when the answer is clearly "41 monkeys
> and 1 fat snake".        -- Jim Fulton
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list