IPFW1->2 regression: "in/out/via any" ignored
Dmitry Pryanishnikov
dmitry at atlantis.dp.ua
Thu Mar 23 12:03:40 UTC 2006
Hello!
I've found a serious regression during the IPFW1->2 transition. I'm using
"recv any" construction to match transit packets only. Manpage ipfw(8) clearly
says:
recv | xmit | via {ifX | if* | ipno | any}
Matches packets received, transmitted or going through, respec-
tively, the interface specified by exact name (ifX), by device
name (if*), by IP address, or through some interface.
...........................................^^^^^^^^^^^^^^^^^^^^^^
A packet may not have a receive or transmit interface: packets
originating from the local host have no receive interface, while
packets destined for the local host have no transmit interface.
So the following rule must not match locally-originated packets, thus matching
only transit ones:
00001 0 0 count ip from any to any out recv any
However, after transition to IPFW2 (RELENG_4, also have tried RELENG_6,
CURRENT - results are the same) part "recv any" just gets ignored, and
rules starts to match all outgoing packets, not just transit ones:
root at test3# ipfw add 1 count ip from any to any out recv any
00001 count ip from any to any out
root at test3# ipfw show
00001 7 1932 count ip from any to any out
I've searched "ipfw any" context in our PR database and didn't find anything.
Is it known issue? Does somebody work on it?
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry at atlantis.dp.ua
nic-hdl: LYNX-RIPE
More information about the freebsd-ipfw
mailing list