From owner-freebsd-hackers  Fri Jan 13 01:58:58 1995
Return-Path: hackers-owner
Received: (from root@localhost) by freefall.cdrom.com (8.6.9/8.6.6) id BAA01898 for hackers-outgoing; Fri, 13 Jan 1995 01:58:58 -0800
Received: from bunyip.cc.uq.oz.au (bunyip.cc.uq.oz.au [130.102.2.1]) by freefall.cdrom.com (8.6.9/8.6.6) with SMTP id BAA01892 for <hackers@freebsd.org>; Fri, 13 Jan 1995 01:58:56 -0800
Received: from cc.uq.oz.au by bunyip.cc.uq.oz.au 
          id <27226-0@bunyip.cc.uq.oz.au>; Fri, 13 Jan 1995 19:57:55 +1000
Received: from orion.devetir.qld.gov.au 
          by pandora.devetir.qld.gov.au (8.6.7/DEVETIR-E0.3a) with ESMTP 
          id RAA13432; Fri, 13 Jan 1995 17:47:57 +1000
Received: by orion.devetir.qld.gov.au (8.6.7/DEVETIR-0.2a) id RAA18845;
          Fri, 13 Jan 1995 17:43:47 +1000
Date: Fri, 13 Jan 1995 17:43:47 +1000
From: Stephen McKay <syssgm@devetir.qld.gov.au>
Message-Id: <199501130743.RAA18845@orion.devetir.qld.gov.au>
To: hackers@FreeBSD.org
cc: Jakob Schripsema <sch@telecom.ptt.nl>
Subject: Re: Anyone working on the ipfirewall code ?
Sender: hackers-owner@FreeBSD.org
Precedence: bulk

Jakob Schripsema <sch@telecom.ptt.nl> writes:

>Is there anyone working on the ipfirewall code for FreeBSD ?? I intend to
>use it with release 2.0 but I ran into some problems (panics, strange ways
>of handling bitmasks and the like). I hate reinventing wheel, so I someone
>is already working on the code I prefer to join.

Yeah, I'm trying to use the firewall code here at work.  It's got a few bugs
and is absolutely gross inside.  I don't know how efficient or not it might
be because it is too ugly to read.  I'm all for a total discard and rewrite.
I'd love to do this, but unless the boss will fund it, I'm not going to be
able to find time.

There are changes in -current to ip_fw.c, but I can't tell if they do any
good as I can't read them either.

Anyway, I'm about to build a new kernel including the following patch:
(This is relative to 2.0R, and should fix the 'ipfw policy deny' crash, and
the inability to have both 'tcp' and 'udp' filters active simultaneously.)

--- netinet/ip_fw.c.dist	Tue Nov  8 22:47:27 1994
+++ netinet/ip_fw.c	Fri Jan 13 17:27:12 1995
@@ -277,6 +277,7 @@
      * be ever accepted or rejected...
      */
 
+#if 0	/* HEY, THIS CRAP AIN'T DOIN' ANYBODY ANY GOOD! */
 #ifdef IPFIREWALL_VERBOSE
 		/*
 		 * VERY ugly piece of code which actually
@@ -306,6 +307,7 @@
 	return(0);
     }
 #endif
+#endif /* CRAP */
     return(ip_fw_policy);
 
 }
@@ -371,8 +373,10 @@
 
 		if (newkind!=IP_FW_F_ALL 
 		&&  oldkind!=IP_FW_F_ALL
-		&&  oldkind!=newkind)
+		&&  oldkind!=newkind) {
+			chtmp_prev=chtmp;
 			continue;
+		}
 		/*
 		 * Very very *UGLY* code...
 		 * Sorry,but i had to do this....