Date: Mon, 21 Apr 2003 06:43:02 -0700 From: Luigi Rizzo <rizzo@icir.org> To: Eugene Grosbein <eugen@grosbein.pp.ru> Cc: security@freebsd.org Subject: Re: ipfw1 Message-ID: <20030421064302.A98117@xorpc.icir.org> In-Reply-To: <3EA383E4.B9069203@grosbein.pp.ru>; from eugen@grosbein.pp.ru on Mon, Apr 21, 2003 at 01:38:44PM %2B0800 References: <3EA383E4.B9069203@grosbein.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
indeed, it looks like there is/has never been support in RELENG_4's ip_fw.c
for "not me" -- the section of code below should change like this
(untested -- check the polarity of the test):
if (f->fw_flg & IP_FW_F_SME) {
INADDR_TO_IFP(src_ip, tif);
- if (tif == NULL)
+ if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVSRC) != 0))
continue;
}
if (f->fw_flg & IP_FW_F_DME) {
INADDR_TO_IFP(dst_ip, tif);
- if (tif == NULL)
+ if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVDST) != 0))
continue;
}
ipfw2 does support this.
On Mon, Apr 21, 2003 at 01:38:44PM +0800, Eugene Grosbein wrote:
> Hi!
>
> May somebody look at http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/51132 ?
> It looks like ipfw1 has serious bug in the ruleset processing.
on a side note, i would have been more specific and said "ipfw1 has
a serious bug in processing "not me" rules.
Granted, your way of stating the problem attracted my attention for
this time, but next time i might well think "ok it might be something
minor..." :)
cheers
luigi
> Eugene Grosbein
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030421064302.A98117>