Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Apr 2004 15:49:51 +0200
From:      =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no>
To:        <freebsd-ipfw@freebsd.org>
Subject:   Is this a bug? ifname[wildcard] matches other interfaces?
Message-ID:  <E3AE90582399B14EB7D037B53B9B17E94DFF@exchange.wanglobal.net>

next in thread | raw e-mail | index | archive | help
Hi

I was led to belive that using ifname* (read: interface name + wildcard) =
would work.
Apparently the fxp* matches all, even the ones originating or destined =
to tunX.
A bug or did i misunderstand the man page?

In ip_fw2.c ~@388 i read the following, which i -belive- skips name =
comparison when=20
matching interface, am i understanding the code correctly?
	...
        if (cmd->name[0] !=3D '\0') { /* match by name */
                /* Check unit number (-1 is wildcard) */
                if (cmd->p.unit !=3D -1 && cmd->p.unit !=3D =
ifp->if_unit)
                        return(0);
                /* Check name */
                if (!strncmp(ifp->if_name, cmd->name, IFNAMSIZ))
                        return(1);
        } else {
	...

FreeBSD 4.9-RELEASE-p3 with IPFW2 as module, dummynet module loaded.

00200  796 233528 allow via lo0 // &! permit all via loopback interface
00201  159  13155 allow dst-port 53,22,80
00202    0      0 deny dst-port 135,137,138,139,445
00203 3897 293591 skipto 207 out // &! skip ahead for outgoing packets
00204 5565 405417 skipto 400 recv fxp* // &! received on main fxp*
00205    0      0 skipto 800 recv tun* // &! received on main tun*
00206    0      0 skipto 209 in // &! skip ahead for unhandled
00207 3897 293591 skipto 600 xmit fxp* // &! xmitted on main fxp*
00208    0      0 skipto 1000 xmit tun* // &! xmitted on main tun*
00209    0      0 allow // &! default for main main
00400 1733  89195 pipe 1000 { dst-port =
1214,6699,5190,4661-4665,6345-6350 or src-port =
1214,6699,5190,4661-4665,6345-6350 }
00401 3832 316222 allow // &! default for interfacegroup in_fxp
00600 1232 121000 deny not src-ip 80.x.x.0/24,80.x.x.0/29 out xmit fxp0
00601    0      0 pipe 1001 { dst-port =
1214,6699,5190,4661-4665,6345-6350 or src-port =
1214,6699,5190,4661-4665,6345-6350 }
00602    0      0 fwd 80.x.x.21 src-ip 80.x.x.22 out xmit fxp0
00603 2665 172591 allow // &! default for interfacegroup out_fxp
00800    0      0 pipe 2 recv tun0 // &! received on tun0
00801    0      0 pipe 3 recv tun1 // &! received on tun1
...
01000    0      0 pipe 103 xmit tun0 // &! transmitted on tun0
01001    0      0 pipe 104 xmit tun1 // &! transmitted on tun1
...


_// Sten Daniel S=F8rsdal



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E3AE90582399B14EB7D037B53B9B17E94DFF>