From owner-freebsd-bugs@freebsd.org Tue Feb 21 02:19:33 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 359D0CE7B89 for ; Tue, 21 Feb 2017 02:19:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1CED31118 for ; Tue, 21 Feb 2017 02:19:33 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v1L2JWi8075494 for ; Tue, 21 Feb 2017 02:19:32 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217262] ipfw lookup tables match on index instead of value Date: Tue, 21 Feb 2017 02:19:33 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: allanjude@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Feb 2017 02:19:33 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217262 Bug ID: 217262 Summary: ipfw lookup tables match on index instead of value Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: allanjude@FreeBSD.org When you create tables in ipfw, with a valtype of legacy, they match on the index of the value in the table, not the actual value as expected. This bug was previously detected for the 'ipfw table XXX lookup KEY' case, = and fixed in r307628 https://svnweb.freebsd.org/base?view=3Drevision&revision=3D307628 However, it seems the same bug exists when packets are matched against the rules. Create a table with enough unique values so that the tables do not work by accident (if the first value you create happens to be 1, its index will be = 1, and it will seem like it is working): sh -c 'for t in $(jot 50 10); do ipfw table 53 add 1.2.3.${t}/32 ${t};done' ... added: 1.2.3.42/32 42 ... #ipfw table 53 lookup 1.2.3.42/32 1.2.3.42/32 42 [from debugging without r307628, we know index =3D 33] #ipfw table 53 add 8.8.8.8/32 1 added: 8.8.8.8/32 1 #ipfw table 53 add 8.8.4.4/32 0 added: 8.8.4.4/32 0 #ipfw table 53 lookup 8.8.8.8 8.8.8.8/32 1 [Index =3D 51] #ipfw table 53 lookup 8.8.4.4 8.8.4.4/32 0 [Index =3D 52] # We create a set of rules, traffic to 8.8.8.8 should match rule 5000, sin= ce its value is 1, but instead will match rule 5001, because the index of the value in the table is 51. #ipfw add 5000 allow tcp from any to 'table(53,1)' dst-port 53 #ipfw add 5001 allow tcp from any to 'table(53,51)' dst-port 53 #ipfw add 6000 deny tcp from any to 8.8.8.8,8.8.4.4 dst-port 53 #ipfw table 53 list --- table(53), set(0) --- 1.2.3.10/32 10 1.2.3.11/32 11 ... 1.2.3.58/32 58 1.2.3.59/32 59 8.8.4.4/32 0 8.8.8.8/32 1 #ipfw show 00100 522 31320 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from any to ::1 00500 0 0 deny ip from ::1 to any 00600 0 0 allow ipv6-icmp from :: to ff02::/16 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 14 1084 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types= 1 01000 48 3304 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 05000 0 0 allow tcp from any to table(53,1) dst-port 53 05001 0 0 allow tcp from any to table(53,51) dst-port 53 06000 0 0 deny tcp from any to 8.8.8.8,8.8.4.4 dst-port = 53 65000 154480098 238424204503 allow ip from any to any 65535 0 0 deny ip from any to any #telnet 8.8.8.8 53 Trying 8.8.8.8... Connected to google-public-dns-a.google.com. Escape character is '^]'. Connection closed by foreign host. #ipfw show 5000 5001 6000 05000 0 0 allow tcp from any to table(53,1) dst-port 53 05001 4 216 allow tcp from any to table(53,51) dst-port 53 06000 0 0 deny tcp from any to 8.8.8.8,8.8.4.4 dst-port = 53 # MATCHED THE WRONG RULE! #telnet 8.8.4.4 53 Trying 8.8.4.4... telnet: connect to address 8.8.4.4: Permission denied telnet: Unable to connect to remote host #ipfw show 5000 5001 6000 05000 0 0 allow tcp from any to table(53,1) dst-port 53 05001 4 216 allow tcp from any to table(53,51) dst-port 53 06000 9 540 deny tcp from any to 8.8.8.8,8.8.4.4 dst-port = 53 --=20 You are receiving this mail because: You are the assignee for the bug.=