From owner-freebsd-bugs@FreeBSD.ORG Wed Feb 11 11:45:16 2015 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4E276FEB for ; Wed, 11 Feb 2015 11:45:16 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3383A299 for ; Wed, 11 Feb 2015 11:45:16 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t1BBjGZB088045 for ; Wed, 11 Feb 2015 11:45:16 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 197536] ipfilter rule removal via command line deletes all rules added after as well Date: Wed, 11 Feb 2015 11:45:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: clearscreen@gmail.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Feb 2015 11:45:16 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197536 Bug ID: 197536 Summary: ipfilter rule removal via command line deletes all rules added after as well Product: Base System Version: 10.1-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: clearscreen@gmail.com After updating from FreeBSD 9.3-RELEASE #0 r268512 to FreeBSD 10.1-RELEASE #0 r274401, which updated IPFilter from v4.1.28 (400) to v5.1.2 (608) the following command no longer works properly: echo "block in log level local7.info quick on em1 from 218.77.79.55/32 to any" | /sbin/ipf -rf - ; echo "block out log level local7.info quick on em1 from any to 218.77.79.55/32" | /sbin/ipf -rf - ; By works properly I mean- In ipfilter v4.1.28 the command above removes the one matching rule specified in the echo command (which is the expected behavior I believe). In ipfilter v5.1.2 the command above removes the one matching rule specified in the echo command AND every rule leading up to it. Here is an example of what happens in ipfilter v5.1.2 in FreeBSD 10.1-RELEASE: root@perim:~ # ipfstat -lion @1 pass out all @2 block out log level local7.info quick on em1 inet from any to 103.41.124.56/32 @3 block out log level local7.info quick on em1 inet from any to 222.186.59.100/32 @4 block out log level local7.info quick on em1 inet from any to 209.251.180.19/32 @5 block out log level local7.info quick on em1 inet from any to 80.82.70.230/32 @6 block out log level local7.info quick on em1 inet from any to 128.208.4.164/32 @7 block out log level local7.info quick on em1 inet from any to 193.0.129.108/32 @8 block out log level local7.info quick on em1 inet from any to 116.104.186.248/32 @9 block out log level local7.info quick on em1 inet from any to 62.210.95.18/32 @1 pass in all @2 block in log level local7.info quick on em1 inet from 103.41.124.56/32 to any @3 block in log level local7.info quick on em1 inet from 222.186.59.100/32 to any @4 block in log level local7.info quick on em1 inet from 209.251.180.19/32 to any @5 block in log level local7.info quick on em1 inet from 80.82.70.230/32 to any @6 block in log level local7.info quick on em1 inet from 128.208.4.164/32 to any @7 block in log level local7.info quick on em1 inet from 193.0.129.108/32 to any @8 block in log level local7.info quick on em1 inet from 116.104.186.248/32 to any @9 block in log level local7.info quick on em1 inet from 62.210.95.18/32 to any root@perim:~ # echo "block in log level local7.info quick on em1 from 128.208.4.164/32 to any" | /sbin/ipf -rf - ; echo "block out log level local7.info quick on em1 from any to 128.208.4.164/32" | /sbin/ipf -rf - ; root@perim:~ # ipfstat -lion @1 pass out all @2 block out log level local7.info quick on em1 inet from any to 193.0.129.108/32 @3 block out log level local7.info quick on em1 inet from any to 116.104.186.248/32 @4 block out log level local7.info quick on em1 inet from any to 62.210.95.18/32 @1 pass in all @2 block in log level local7.info quick on em1 inet from 193.0.129.108/32 to any @3 block in log level local7.info quick on em1 inet from 116.104.186.248/32 to any @4 block in log level local7.info quick on em1 inet from 62.210.95.18/32 to any In the first command you can see the loaded firewall rules. In the next command the goal is to remove the block in and out for IP address 128.208.4.164. As you can see after running the command for removal, a listing of the loaded firewall rules shows it has deleted every single rule leading up to it. Is this a bug in my syntax, did the syntax change between ipftiler v4.1.28 and v5.1.2? Or is it a bug in ipfilter somewhere? -- You are receiving this mail because: You are the assignee for the bug.