From owner-freebsd-bugs@FreeBSD.ORG  Sun May  4 04:50:03 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 91A94106564A
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  4 May 2008 04:50:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id A5AAC8FC15
	for <freebsd-bugs@hub.freebsd.org>;
	Sun,  4 May 2008 04:50:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m444o2lj072251
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 4 May 2008 04:50:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m444o2pR072250;
	Sun, 4 May 2008 04:50:02 GMT (envelope-from gnats)
Date: Sun, 4 May 2008 04:50:02 GMT
Message-Id: <200805040450.m444o2pR072250@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc: 
Subject: Re: kern/123358: [ipfw] ipfw add 1000 allow IP from any to any
 doesn't work
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 May 2008 04:50:03 -0000

The following reply was made to PR kern/123358; it has been noted by GNATS.

From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Edwin Groothuis <edwin@mavetju.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org,
        Julian Elischer <julian@elischer.org>
Subject: Re: kern/123358: [ipfw] ipfw add 1000 allow IP from any to any doesn't
        work
Date: Sun, 04 May 2008 08:39:57 +0400

 Edwin Groothuis wrote:
 > Loading an ipfw rule with "IP" instead of "ip" will enter the rule
 > properly in the list, but it never gets matched.
 > 
 >> How-To-Repeat:
 > 
 >     [/home/edwin] root@k7>ipfw add 100 allow IP from any to any
 >     00100 allow ip from any to any
 >     [/home/edwin] root@k7>ipfw add 100 allow ip from any to any
 >     00100 allow ip from any to any
 > 
 >     [/home/edwin] root@k7>ipfw -a list
 >     00100   0      0 allow ip from any to any
 >     00100 922 168617 allow ip from any to any
 >     65535 182  20023 deny ip from any to any
 > 
 > The first entry should be increasing, not the second.
 
 Yes. When you are using "ip" or "all" as protocol, then
 ipfw(8) doesn't make internal opcode and ipfw(9) matches
 any packets. When you are using "IP" (parser is case sensitive),
 then ipfw(8) makes a O_PROTO opcode and ipfw(9) matches it
 with layer3 protocol number.
 I don't know what is the best way to fix this problem.
 I see three ways:
 1. Don't do anything.
 2. Make manual better (sorry, i'm not native english
 speaker, so i can't).
 3. Add quirk to ipfw(8) ti add_proto0 function, something
 similar:
 --- src/sbin/ipfw/ipfw2.c       27 Feb 2008 13:52:33 -0000      1.118
 +++ src/sbin/ipfw/ipfw2.c       4 May 2008 04:38:24 -0000
 @@ -4580,6 +4580,11 @@ add_proto0(ipfw_insn *cmd, char *av, u_c
          if (*ep != '\0' || proto <= 0) {
                  if ((pe = getprotobyname(av)) == NULL)
                          return NULL;
 +
 +               /* Is it an IP proto? */
 +               if (pr->p_proto == 0)
 +                       return (0);
 +
                  proto = pe->p_proto;
          }
 
 -- 
 WBR, Andrey V. Elsukov