From owner-freebsd-bugs@FreeBSD.ORG  Fri Feb 25 19:50:17 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C61F716A4CF
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 25 Feb 2005 19:50:17 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5E54843D41
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 25 Feb 2005 19:50:17 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1PJoH8C017482
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 25 Feb 2005 19:50:17 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1PJoHRg017481;
	Fri, 25 Feb 2005 19:50:17 GMT
	(envelope-from gnats)
Resent-Date: Fri, 25 Feb 2005 19:50:17 GMT
Resent-Message-Id: <200502251950.j1PJoHRg017481@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Manuel Kasper <mk@neon1.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9534E16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri, 25 Feb 2005 19:44:50 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 723F543D58
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri, 25 Feb 2005 19:44:50 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j1PJinQK051437
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Feb 2005 19:44:49 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j1PJin51051436;
	Fri, 25 Feb 2005 19:44:49 GMT
	(envelope-from nobody)
Message-Id: <200502251944.j1PJin51051436@www.freebsd.org>
Date: Fri, 25 Feb 2005 19:44:49 GMT
From: Manuel Kasper <mk@neon1.net>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Subject: misc/78090: ipf filtering on bridged packets doesn't work if ipfw
	is loaded
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Feb 2005 19:50:17 -0000


>Number:         78090
>Category:       misc
>Synopsis:       ipf filtering on bridged packets doesn't work if ipfw is loaded
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 25 19:50:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Manuel Kasper
>Release:        5.3-RELEASE
>Organization:
>Environment:
FreeBSD daemon5.neon1.net 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov  5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
If ipfw is loaded, then the net.link.ether.bridge.ipf option, which is designed to pass bridged packets to ipfilter, doesn't work: no ipfilter rules are applied. This happens even when net.link.ether.bridge.ipfw=0.

Closer examination of sys/net/bridge.c reveals that the whole pfil processing part of the code is skipped if IPFW_LOADED == true, in order to prevent ipfw from being called twice on a given packet (once through pfil, and once directly from bdg_forward).
>How-To-Repeat:
Configure ipfilter to block packets, set up bridging between two interfaces. Make sure ipfw is not loaded. Observe that bridged packets are actually blocked by ipfilter. Load ipfw (leave net.link.ether.bridge.ipfw alone). Observe that packets are no longer blocked.
>Fix:
Packets should be tagged somehow in bdg_forward prior to sending them to pfil_run_hooks to make ipfw ignore them when it's called from pfil.
>Release-Note:
>Audit-Trail:
>Unformatted: