Date: Wed, 11 Feb 2015 11:45:16 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 197536] ipfilter rule removal via command line deletes all rules added after as well Message-ID: <bug-197536-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197536 Bug ID: 197536 Summary: ipfilter rule removal via command line deletes all rules added after as well Product: Base System Version: 10.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: clearscreen@gmail.com After updating from FreeBSD 9.3-RELEASE #0 r268512 to FreeBSD 10.1-RELEASE #0 r274401, which updated IPFilter from v4.1.28 (400) to v5.1.2 (608) the following command no longer works properly: echo "block in log level local7.info quick on em1 from 218.77.79.55/32 to any" | /sbin/ipf -rf - ; echo "block out log level local7.info quick on em1 from any to 218.77.79.55/32" | /sbin/ipf -rf - ; By works properly I mean- In ipfilter v4.1.28 the command above removes the one matching rule specified in the echo command (which is the expected behavior I believe). In ipfilter v5.1.2 the command above removes the one matching rule specified in the echo command AND every rule leading up to it. Here is an example of what happens in ipfilter v5.1.2 in FreeBSD 10.1-RELEASE: root@perim:~ # ipfstat -lion @1 pass out all @2 block out log level local7.info quick on em1 inet from any to 103.41.124.56/32 @3 block out log level local7.info quick on em1 inet from any to 222.186.59.100/32 @4 block out log level local7.info quick on em1 inet from any to 209.251.180.19/32 @5 block out log level local7.info quick on em1 inet from any to 80.82.70.230/32 @6 block out log level local7.info quick on em1 inet from any to 128.208.4.164/32 @7 block out log level local7.info quick on em1 inet from any to 193.0.129.108/32 @8 block out log level local7.info quick on em1 inet from any to 116.104.186.248/32 @9 block out log level local7.info quick on em1 inet from any to 62.210.95.18/32 @1 pass in all @2 block in log level local7.info quick on em1 inet from 103.41.124.56/32 to any @3 block in log level local7.info quick on em1 inet from 222.186.59.100/32 to any @4 block in log level local7.info quick on em1 inet from 209.251.180.19/32 to any @5 block in log level local7.info quick on em1 inet from 80.82.70.230/32 to any @6 block in log level local7.info quick on em1 inet from 128.208.4.164/32 to any @7 block in log level local7.info quick on em1 inet from 193.0.129.108/32 to any @8 block in log level local7.info quick on em1 inet from 116.104.186.248/32 to any @9 block in log level local7.info quick on em1 inet from 62.210.95.18/32 to any root@perim:~ # echo "block in log level local7.info quick on em1 from 128.208.4.164/32 to any" | /sbin/ipf -rf - ; echo "block out log level local7.info quick on em1 from any to 128.208.4.164/32" | /sbin/ipf -rf - ; root@perim:~ # ipfstat -lion @1 pass out all @2 block out log level local7.info quick on em1 inet from any to 193.0.129.108/32 @3 block out log level local7.info quick on em1 inet from any to 116.104.186.248/32 @4 block out log level local7.info quick on em1 inet from any to 62.210.95.18/32 @1 pass in all @2 block in log level local7.info quick on em1 inet from 193.0.129.108/32 to any @3 block in log level local7.info quick on em1 inet from 116.104.186.248/32 to any @4 block in log level local7.info quick on em1 inet from 62.210.95.18/32 to any In the first command you can see the loaded firewall rules. In the next command the goal is to remove the block in and out for IP address 128.208.4.164. As you can see after running the command for removal, a listing of the loaded firewall rules shows it has deleted every single rule leading up to it. Is this a bug in my syntax, did the syntax change between ipftiler v4.1.28 and v5.1.2? Or is it a bug in ipfilter somewhere? -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-197536-8>