From owner-freebsd-net@FreeBSD.ORG Mon Apr 21 06:43:05 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4257437B401; Mon, 21 Apr 2003 06:43:05 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3A1543FA3; Mon, 21 Apr 2003 06:43:04 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.8p1/8.12.3) with ESMTP id h3LDh4Bp098281; Mon, 21 Apr 2003 06:43:04 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.8p1/8.12.3/Submit) id h3LDh26f098277; Mon, 21 Apr 2003 06:43:02 -0700 (PDT) (envelope-from rizzo) Date: Mon, 21 Apr 2003 06:43:02 -0700 From: Luigi Rizzo To: Eugene Grosbein Message-ID: <20030421064302.A98117@xorpc.icir.org> References: <3EA383E4.B9069203@grosbein.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3EA383E4.B9069203@grosbein.pp.ru>; from eugen@grosbein.pp.ru on Mon, Apr 21, 2003 at 01:38:44PM +0800 cc: net@freebsd.org cc: security@freebsd.org Subject: Re: ipfw1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2003 13:43:05 -0000 indeed, it looks like there is/has never been support in RELENG_4's ip_fw.c for "not me" -- the section of code below should change like this (untested -- check the polarity of the test): if (f->fw_flg & IP_FW_F_SME) { INADDR_TO_IFP(src_ip, tif); - if (tif == NULL) + if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVSRC) != 0)) continue; } if (f->fw_flg & IP_FW_F_DME) { INADDR_TO_IFP(dst_ip, tif); - if (tif == NULL) + if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVDST) != 0)) continue; } ipfw2 does support this. On Mon, Apr 21, 2003 at 01:38:44PM +0800, Eugene Grosbein wrote: > Hi! > > May somebody look at http://www.FreeBSD.org/cgi/query-pr.cgi?pr=kern/51132 ? > It looks like ipfw1 has serious bug in the ruleset processing. on a side note, i would have been more specific and said "ipfw1 has a serious bug in processing "not me" rules. Granted, your way of stating the problem attracted my attention for this time, but next time i might well think "ok it might be something minor..." :) cheers luigi > Eugene Grosbein > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"