Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 3 Feb 2001 17:30:02 -0800 (PST)
From:      Bernd Luevelsmeyer <bdluevel@heitec.net>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: misc/24833: after cvsup + rebuild, ipfw "check-state" does not work
Message-ID:  <200102040130.f141U2H32132@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR misc/24833; it has been noted by GNATS.

From: Bernd Luevelsmeyer <bdluevel@heitec.net>
To: freebsd-gnats-submit@FreeBSD.org
Cc: steve@megahack.com, Warner Losh <imp@harmony.village.org>
Subject: Re: misc/24833: after cvsup + rebuild, ipfw "check-state" does not work
Date: Sun, 04 Feb 2001 02:29:15 +0100

 I'm not familiar with the FreeBSD sources so I might be wrong, but
 this is how I understand it:
 
 It's the change in /usr/src/sys/netinet/ip_fw.c from version
 1.131.2.12 to 1.131.2.13, around line 1221.
  if (((f->fw_tcpf != f->fw_tcpnf) ||
     (f->fw_ipflg & IP_FW_IF_TCPEST))  &&
     !tcpflg_match(tcp, f))
 was replaced by
  if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f))
 
 The 'established' flag is in fw_ipflg. It's handled in tcpflg_match(),
 but since the test for fw_ipflg is gone, tcpflg_match() doesn't get
 a chance anymore to do the established-thing if fw_tcpf==fw_tcpnf ,
 which (I assume) indicates TCP-flags are not used in the particular
 rule.
 The problem is IMHO that 'established' is a TCP property but not a
 TCP flag.
 
 Re-inserting the previous condition seems to work for me. This is a
 patch against 1.131.2.13:
 --- .vimbk/ip_fw.c.vimbk        Fri Feb  2 15:05:48 2001
 +++ ip_fw.c     Sun Feb  4 02:07:53 2001
 @@ -1222,7 +1222,9 @@
 
                         if (f->fw_tcpopt != f->fw_tcpnopt && !tcpopts_match(tcp, f))
                                 continue;
 -                       if (f->fw_tcpf != f->fw_tcpnf && !tcpflg_match(tcp, f))
 +            if (((f->fw_tcpf != f->fw_tcpnf) ||
 +                        (f->fw_ipflg & IP_FW_IF_TCPEST))  &&
 +                    !tcpflg_match(tcp, f))
                                 continue;
                         goto check_ports;
                     }
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102040130.f141U2H32132>