From owner-freebsd-ipfw@FreeBSD.ORG Tue Aug 2 21:32:16 2005 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 422DC16A41F for ; Tue, 2 Aug 2005 21:32:16 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id D671943D68 for ; Tue, 2 Aug 2005 21:32:13 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id j72LWCix074139; Tue, 2 Aug 2005 14:32:12 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id j72LWBN7074138; Tue, 2 Aug 2005 14:32:11 -0700 (PDT) (envelope-from rizzo) Date: Tue, 2 Aug 2005 14:32:11 -0700 From: Luigi Rizzo To: freebsd-ipfw@freebsd.org, vladone Message-ID: <20050802143211.A74003@xorpc.icir.org> References: <1881102745.20050802194826@spaingsm.com> <200508021746.j72Hk6Wq006760@lurza.secnetix.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200508021746.j72Hk6Wq006760@lurza.secnetix.de>; from olli@lurza.secnetix.de on Tue, Aug 02, 2005 at 07:46:06PM +0200 Cc: Subject: Re: Another bug in IPFW@ ...? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2005 21:32:16 -0000 ok, so the problem is the following: when i implemented ipfw2 i thought that 'recv any' or 'xmit any' were effectively NOPs so the parser erroneously removes them, together with any 'not' prefix (which is processed before). To fix this one should - patch the function ipfw2.c:fill_iface() so that an argument of 'any' puts some special pattern in the ipfw_insn_if (e.g. an * in the first char of name[] should suffice as i doubt it is a legal interface name). cmd->o.len |= F_INSN_SIZE(ipfw_insn_if); /* Parse the interface or address */ if (!strcmp(arg, "any")) - cmd->o.len = 0; /* effectively ignore this command */ + cmd->name[0] = '*'; /* any interface */ else if (!isdigit(*arg)) { - patch the O_XMIT... case in ipfw2.c:show_ipfw() to print the special value above as 'any'; else /* if (cmd->opcode == O_VIA) */ s = "via"; if (cmdif->name[0] == '\0') printf(" %s %s", s, inet_ntoa(cmdif->p.ip)); + else if (cmdif->name[0] == '*') + printf(" %s any", s); else if (cmdif->p.unit == -1) printf(" %s %s*", s, cmdif->name); - patch sys/netinet/ip_fw2.c:iface_match() so that a '*' in the first char of name[] and a non-null ifp returns 1; if (ifp == NULL) /* no iface with this packet, match fails */ return 0; /* Check by name or by IP address */ if (cmd->name[0] != '\0') { /* match by name */ + if (cmd->name[0] == '*') + return 1; /* Check unit number (-1 is wildcard) */ if (cmd->p.unit != -1 && cmd->p.unit != ifp->if_unit) return(0); if you want to try, this should be all cheers luigi On Tue, Aug 02, 2005 at 07:46:06PM +0200, Oliver Fromme wrote: > vladone wrote: > > Please, explain more clearly, what u want to do? > > What exactly was unclear in my description? > > > P.S. looks very strange "out not recv any xmit" > > It's perfectly valid syntax according to ipfw(8). > > "out not recv any xmit dc0" consists of three options > (i.e. match patterns): > > 1. "out" --> match only outgoing packets. > > 2. "not recv any" --> match packets that haven't been > received through any interface (i.e. which originate > from the local host). It's simply a negation of > "recv any", see the ipfw(8) manpage. > > 3. "xmit dc0" --> match packets which are going to be > transmitted through the dc0 interface. > > However, the problem is that the second option is being > ignored, and I would like to know why, and how to work- > around the bug. > > Best regards > Oliver > > -- > Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing > Any opinions expressed in this message may be personal to the author > and may not necessarily reflect the opinions of secnetix in any way. > > (On the statement print "42 monkeys" + "1 snake":) By the way, > both perl and Python get this wrong. Perl gives 43 and Python > gives "42 monkeys1 snake", when the answer is clearly "41 monkeys > and 1 fat snake". -- Jim Fulton > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"