From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 14 09:04:15 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4095C1065673 for ; Wed, 14 Sep 2011 09:04:15 +0000 (UTC) (envelope-from vladimir.budnev@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id BE01B8FC1B for ; Wed, 14 Sep 2011 09:04:14 +0000 (UTC) Received: by mail-bw0-f54.google.com with SMTP id zs8so1622937bkb.13 for ; Wed, 14 Sep 2011 02:04:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=6uD6q9JNCIu0sRW6Y+pm1Xqw/hqz+CswnfhqWQWopxo=; b=k3r1BqZ8d1FtR52nTmy3hia6st0tQgGoQkhoTD9fh6J6hPoR7bh/VX1EI9b9ydK1CK /rgem0PXxNdnhM4amp913P50exNS8vjgyYlwsfiwj2f3cE9+mSc902QNSZUEp10Lp13U 6/B90YVZSjoKXutbTX2HloHqm1bMkR2zYbmUA= Received: by 10.204.9.205 with SMTP id m13mr1017060bkm.212.1315989202252; Wed, 14 Sep 2011 01:33:22 -0700 (PDT) Received: from [192.168.66.106] ([80.253.27.98]) by mx.google.com with ESMTPS id z9sm3110999bkn.7.2011.09.14.01.33.20 (version=SSLv3 cipher=OTHER); Wed, 14 Sep 2011 01:33:21 -0700 (PDT) Message-ID: <4E7066CE.3070702@gmail.com> Date: Wed, 14 Sep 2011 12:33:18 +0400 From: Vladimir Budnev User-Agent: Mozilla/5.0 (X11; U; Linux i686; ru_RU; rv:1.9.2.20) Gecko/20110820 Icedove/3.1.12 MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: IPFW hidden/broken rule? (Free 7.2) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Sep 2011 09:04:15 -0000 Hello list I am not sure which list this question must go to, so I am sending to -net and -ipfw lists. We have faced some strange problem with ipfw behavior, which we can't understand ourselves. An it really hurts:( We are running 7.2-RELEASE. I'll try to describe the problem as we observe it and our steps to figure out what is happening. An questions will be at the end. In short there is a situation which looks like some old rule keep on playing but we cant see this in ipfw outputs. I'd say 'hidden' rule So we have ipfw using tables for pipes, and we have e.g. following ipfw output.The pipes configuration does mean nothing, it will be clear at the end of mail, where key moment will be described. [Out1] <...> 04701 pipe tablearg ip from table(2) to any in via em0 04801 pipe tablearg ip from any to table(3) out via em0 04901 allow ip from table(4) to any in via em0 05001 allow ip from any to table(4) out via em0 05101 fwd tcp from table(5) to any dst-port 80,443,8828 in via em0 <...> We'v noticed that no packets from specific ip(10.121.241.23) reache 5101 rule with fwd to example.server. This ip is in table 5: # ipfw table 5 list 10.10.122.23/32 0 10.10.122.167/32 0 We’ve parsed all tables and no matches. OK, we started placing debug rules to realize which rule accepts packets. And we found out following.If we place the following debug rule(we used the same fwd rule) such way(added 4602 rule): [Out2] <...> 04602 113 75 fwd tcp from table(5) to any dst-port 80,443,8828 in via em0 <-- OK her 04701 107971113 85095893815 pipe tablearg ip from table(2) to any in via em0 04801 102517924 83276945675 pipe tablearg ip from any to table(3) out via em0 04901 4413338 991348968 allow ip from table(4) to any in via em0 05001 7146323 8293221022 allow ip from any to table(4) out via em0 05101 0 0 fwd tcp from table(5) to any dst-port 80,443,8828 in via em0 <...> Then packets match the rule.But if we delete 4602 and place debug rule at 4702: [Out3] <...> 04701 108458823 85372134891 pipe tablearg ip from table(2) to any in via em0 04702 0 0 fwd tcp from table(5) to any dst-port 80,443,8828 in via em0 <-- NOT WORKING 04801 - - pipe tablearg ip from any to table(3) out via em0 04901 - - allow ip from table(4) to any in via em0 05001 - - allow ip from any to table(4) out via em0 05101 0 0 fwd tcp from table(5) to any dst-port 80,443,8828 in via em0 <...> So placing rule after 4701 gives zero counters, that means that our ip packets match 4701 rule :) But we DO NOT HAVE target ip in table 2. It resides only in table 5 as shown before.But it must be noticed that such rule WAS in table 2 before.But then was removed from table 2 and added to table 6. Records in table 2 looks like that: # ipfw table 2 list 10.10.122.20/32 9 10.10.122.21/32 4 10.10.122.25/32 9 10.10.122.28/32 6 10.10.122.30/32 6 We also thought that mb we added missconfigured rule e.g. 10.10.122.0/24 rule in table 2 but no. Here goes the KEY moment! OK crawling through the logs, different tests etc we decide to clear table 2. At first step, we’ve deleted all records manually, with: ipfw table 2 delete and NO effect at the time table was clear.So there were no records in table 2, but rule 4701 was still catching packets from the target ip. Second, we did flush with ipfw table 2 flush And voila, everything went fine from that moment! Miracle flush? So the problem seems like the rule resides deep in the kernel heart, but we can NOT see this rule with ipfw output. So i think there are at least to questions: 1. Have anyone ever met such situation? Or may be something close to this one with 'hidden' ipfw rules? 2. Is there a way how to get more info about rules and firewall matching decisions? Mb some sysctl tuning or something else? Cause its the first time we met such situation and don’t even imagine how to diagnose such 'hidden' rule:(