ipfw table add problem

Ian Lepore ian at FreeBSD.org
Fri Nov 22 22:09:45 UTC 2013 

On Fri, 2013-11-22 at 11:35 +1100, Mark Andrews wrote:
> In message <1385045442.31172.549.camel at revolution.hippie.lan>, Ian Lepore writes:
> > On Tue, 2013-11-19 at 23:26 +0200, =D6zkan KIRIK wrote:
> > > On Tue, Nov 19, 2013 at 11:21 PM, Andreas Nilsson <andrnils at gmail.com>wro=
> > te:
> > > =
> > 
> > > >
> > > >
> > > >
> > > > On Tue, Nov 19, 2013 at 9:36 PM, =D6zkan KIRIK <ozkan.kirik at gmail.com>w=
> > rote:
> > > >
> > > >> Hi,
> > > >>
> > > >>
> > > >>
> > > >> On Tue, Nov 19, 2013 at 10:22 PM, Andreas Nilsson <andrnils at gmail.com>=
> > wrote:
> > > >>
> > > >>>
> > > >>>
> > > >>>
> > > >>> On Tue, Nov 19, 2013 at 8:55 PM, =D6zkan KIRIK <ozkan.kirik at gmail.com=
> > >wrote:
> > > >>>
> > > >>>> Hi,
> > > >>>>
> > > >>>> I'm using kernel FreeBSD 10.0-BETA3 #2 r257635 kernel.
> > > >>>> I am trying to add port number to ipfw tables. But there is something
> > > >>>> strange :
> > > >>>> Problem is easily repeatable.
> > > >>>>
> > > >>>> #ipfw table 1 flush
> > > >>>> #ipfw table 1 add 4899
> > > >>>> #ipfw table 1 list
> > > >>>> ::/0 0
> > > >>>>
> > > >>> Works with ipfw table 1 add 0 4899
> > > >>>
> > > >> No, i want to use this table as port list ( to use with "lookup src-po=
> > rt
> > > >> 1" ) . If you add like this, you cannot match against ports. Am I wron=
> > g?
> > > >>
> > > > No, that should be possible.
> > > >
> > > >>
> > > >>
> > > >>>
> > > >>>> #ipfw table 1 flush
> > > >>>> #ipfw table 1 add 10.2.3.01       ( not 10.0.0.1,   the last 1 has 0=
> >  as
> > > >>>> prefix )
> > > >>>> #ipfw table 1 list
> > > >>>> ::/0 0
> > > >>>>
> > > >>> Did you mean ipfw table 1 add 10.2.3.0 1 ? That works for me.
> > > >>>
> > > >> Please dont leave spaces between 0 and 1.
> > > >>
> > > > Ok. any specific reason to type it as 10.2.3.01 instead 0f 10.2.3.1 ?
> > > >
> > > There is no specific reason, but both 10.2.3.01 and 10.2.3.1 are has true
> > > syntax.
> > > The problem is, ipfw doesnt throw any errors, but record added as
> > > 0.0.0.0/0( all the IPv4 network ). This behaviour is really dangerous.
> > > =
> > 
> > > FreeBSD 8.2 and 8.4 doesnt have this problem.
> > 
> > For this, I wonder if ipfw was recently changed from using inet_aton()
> > to inet_pton() to parse addresses?  Our implementation of inet_pton()
> > does not match the manpage -- it's supposed to accept decimal, octal, or
> > hex numbers for each of the dotted IP comonents, but it accepts decimal
> > only.  10.2.3.01 appears to cause it to return 0 as the address.  Our
> > inet_aton() handles oct/dec/hex.
> 
> The man page is wrong.
> 
> RFC 3493 states inet_pton *only* takes dotted decimal.  This was
> the same in RFC 2553.  The implementation Paul Vixie and I wrote
> back in 199[89] for BIND only accepts dotted decimal with no leading
> zeros.

Actually, it was me that was wrong... the man page does mention the
differences between inet_aton() and inet_pton(), I just didn't read all
the way to the end.

-- Ian

More information about the freebsd-ipfw mailing list