From owner-freebsd-hackers  Mon Aug 25 11:20:47 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id LAA28683
          for hackers-outgoing; Mon, 25 Aug 1997 11:20:47 -0700 (PDT)
Received: from dg-rtp.dg.com (dg-rtp.rtp.dg.com [128.222.1.2])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id LAA28663
          for <freebsd-hackers@freefall.FreeBSD.org>; Mon, 25 Aug 1997 11:20:35 -0700 (PDT)
Received: by dg-rtp.dg.com (5.4R3.10/dg-rtp-v02)
	id AA01604; Mon, 25 Aug 1997 14:20:03 -0400
Received: from ponds by dg-rtp.dg.com.rtp.dg.com; Mon, 25 Aug 1997 14:20 EDT
Received: from lakes.dignus.com (lakes [10.0.0.3]) by ponds.dignus.com (8.8.5/8.7.3) with ESMTP id NAA02662 for <freebsd-hackers@freefall.cdrom.com>; Mon, 25 Aug 1997 13:46:41 -0400 (EDT)
Received: (from rivers@localhost) by lakes.dignus.com (8.8.5/8.6.9) id NAA00650 for freebsd-hackers@freefall.cdrom.com; Mon, 25 Aug 1997 13:39:54 -0400 (EDT)
Date: Mon, 25 Aug 1997 13:39:54 -0400 (EDT)
From: Thomas David Rivers <ponds!rivers@dg-rtp.dg.com>
Message-Id: <199708251739.NAA00650@lakes.dignus.com>
To: ponds!freefall.cdrom.com!freebsd-hackers
Subject: 2.2-970825 and ipfw..
Content-Type: text
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


F.Y.I. -

I just researched this a little bit; to avert anyone else doing
unnecessary work:

In ip_fw.c:check_ipfw_struct(), we have:

        /* Must apply to incoming or outgoing (or both) */
        if (!(frwl->fw_flg & (IP_FW_F_IN | IP_FW_F_OUT))) {
                dprintf(("%s neither in nor out\n", err_prefix));
                return (NULL);
        }

But - in previous versions of 2.2 sources, if neither of these
was set; we assumed both as in:

        /* If neither In nor Out, then both */
        if (!(frwl->fw_flg & (IP_FW_F_IN | IP_FW_F_OUT)))
                frwl->fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;



This is the change that appears to have broken my ipfw setup...

Looking at the ipfw in the ssbin.XX files for 2.2-970825, I see
the following:

      /* No direction specified -> do both directions */
      if (!(rule.fw_flg & (IP_FW_F_OUT|IP_FW_F_IN)))
              rule.fw_flg |= (IP_FW_F_OUT|IP_FW_F_IN);

So - although I haven't verified this; it appears the ip_fw.c
check is valid, and ipfw has been updated appropriately.

	- Dave Rivers -