Date: Sun, 29 Apr 2007 19:55:29 +0400 (MSD) From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/112244: [patch][ipfw] Incorrect output of rule with the MAC option Message-ID: <20070429155529.861E017011@btr-nb.properlan.net> Resent-Message-ID: <200704291610.l3TGA1Nn034502@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112244 >Category: bin >Synopsis: [patch][ipfw] Incorrect output of rule with the MAC option >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 29 16:10:01 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Andrey V. Elsukov >Release: FreeBSD 7.0-CURRENT i386 >Organization: >Environment: System: FreeBSD btr-nb.properlan.net 7.0-CURRENT FreeBSD 7.0-CURRENT #11: Sat Apr 21 18:17:26 MSD 2007 root@btr-nb.properlan.net:/usr/obj/usr/src/sys/BTR i386 >Description: The ipfw(8) show incorrect rule in some cases when used the MAC option. An example: > sudo ipfw add 100 count icmp from any to any MAC any any 00100 count icmp MAC any any any "count icmp MAC any any any" is not the same that "count icmp from any to any MAC any any" >How-To-Repeat: > sudo ipfw add 100 count icmp from any to any MAC any any 00100 count icmp MAC any any any >Fix: --- ipfw2.c.diff begins here --- --- src/sbin/ipfw/ipfw2.c Sun Jan 7 06:02:02 2007 +++ src/sbin/ipfw/ipfw2.c Mon Apr 16 22:07:01 2007 @@ -1400,10 +1400,8 @@ #define HAVE_PROTO 0x0001 #define HAVE_SRCIP 0x0002 #define HAVE_DSTIP 0x0004 -#define HAVE_MAC 0x0008 -#define HAVE_MACTYPE 0x0010 -#define HAVE_PROTO4 0x0040 -#define HAVE_PROTO6 0x0080 +#define HAVE_PROTO4 0x0008 +#define HAVE_PROTO6 0x0010 #define HAVE_OPTIONS 0x8000 #define HAVE_IP (HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP) @@ -1415,16 +1413,6 @@ if ( (*flags & HAVE_IP) == HAVE_IP) *flags |= HAVE_OPTIONS; - if ( (*flags & (HAVE_MAC|HAVE_MACTYPE|HAVE_OPTIONS)) == HAVE_MAC && - cmd != O_MAC_TYPE) { - /* - * mac-type was optimized out by the compiler, - * restore it - */ - printf(" any"); - *flags |= HAVE_MACTYPE | HAVE_OPTIONS; - return; - } if ( !(*flags & HAVE_OPTIONS)) { if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO)) if ( (*flags & HAVE_PROTO4)) @@ -1680,28 +1668,6 @@ case O_PROBE_STATE: break; /* no need to print anything here */ - case O_MACADDR2: { - ipfw_insn_mac *m = (ipfw_insn_mac *)cmd; - - if ((cmd->len & F_OR) && !or_block) - printf(" {"); - if (cmd->len & F_NOT) - printf(" not"); - printf(" MAC"); - flags |= HAVE_MAC; - print_mac(m->addr, m->mask); - print_mac(m->addr + 6, m->mask + 6); - } - break; - - case O_MAC_TYPE: - if ((cmd->len & F_OR) && !or_block) - printf(" {"); - print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE, - (flags & HAVE_OPTIONS) ? cmd->opcode : 0); - flags |= HAVE_MAC | HAVE_MACTYPE | HAVE_OPTIONS; - break; - case O_IP_SRC: case O_IP_SRC_LOOKUP: case O_IP_SRC_MASK: @@ -1809,6 +1775,21 @@ if (cmd->len & F_NOT && cmd->opcode != O_IN) printf(" not"); switch(cmd->opcode) { + case O_MACADDR2: { + ipfw_insn_mac *m = (ipfw_insn_mac *)cmd; + + printf(" MAC"); + print_mac(m->addr, m->mask); + print_mac(m->addr + 6, m->mask + 6); + } + break; + + case O_MAC_TYPE: + print_newports((ipfw_insn_u16 *)cmd, + IPPROTO_ETHERTYPE, cmd->opcode); + break; + + case O_FRAG: printf(" frag"); break; --- ipfw2.c.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070429155529.861E017011>