Date: Fri, 3 Aug 2007 14:56:43 GMT From: Sergey Matveychuk <sem@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/115172: ipfw list show some rules with a wrong format Message-ID: <200708031456.l73EuhGm053945@www.freebsd.org> Resent-Message-ID: <200708031500.l73F06sr021759@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 115172
>Category: bin
>Synopsis: ipfw list show some rules with a wrong format
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 03 15:00:06 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Sergey Matveychuk
>Release:
>Organization:
>Environment:
FreeBSD orange.yandex.net 6.2-STABLE FreeBSD 6.2-STABLE #3: Mon Jul 30 16:35:23 UTC 2007 root@orange.yandex.net:/usr/obj/usr/src/sys/ORANGE i386
>Description:
I think quite many people met a situation when you want to save current rules with 'ipfw list' command and use it as ipfw input afterwards? (Yes, you should add a 'add' word before each line). But here we meet a weird problem: 'ipfw list' outputs a wrong rule format sometime and you can't use it without a modification.
The problem with 'to { ... or ... }' blocks. Let's see an example:
you add the rule:
ipfw add 100 allow tcp from { 10.10.10.1 or 10.10.10.2 } to { 10.10.10.3 or 10.10.10.4 or 10.10.10.5 }
adn it's showed as:
00100 allow tcp from { 10.10.10.1 or 10.10.10.2 } to { 10.10.10.3 or dst-ip 10.10.10.4 or dst-ip 10.10.10.5 }
dst-ip words are wrong here. if you'll try to add the rule in this format you get an error:
ipfw: missing ")"
I think it's a known and long standing problem.
(I've found it's introduced with the commit: Revision 1.11:
Mon Aug 19 04:52:15 2002 UTC (4 years, 11 months ago) by luigi )
After investigation I've found a strange assumption in show_prerequisites() function. It looks wrong. So I think we can remove it easily. It'll fix the problem. I've tried a lot of syntax variants and I can't see something wrong in output after the modification.
>How-To-Repeat:
see above
>Fix:
--- sbin/ipfw/ipfw2.c.orig Thu Aug 2 13:44:45 2007
+++ sbin/ipfw/ipfw2.c Thu Aug 2 15:17:44 2007
@@ -1394,9 +1394,6 @@
{
if (comment_only)
return;
- if ( (*flags & HAVE_IP) == HAVE_IP)
- *flags |= HAVE_OPTIONS;
-
if ( !(*flags & HAVE_OPTIONS)) {
if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO))
if ( (*flags & HAVE_PROTO4))
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200708031456.l73EuhGm053945>