From owner-freebsd-bugs Fri Dec 27 15: 0:23 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F4B237B401 for ; Fri, 27 Dec 2002 15:00:21 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 31CD843EC5 for ; Fri, 27 Dec 2002 15:00:20 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id gBRN0KNS072787 for ; Fri, 27 Dec 2002 15:00:20 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id gBRN0KVp072786; Fri, 27 Dec 2002 15:00:20 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F04337B401 for ; Fri, 27 Dec 2002 14:53:25 -0800 (PST) Received: from z.infxa.com (z.infxa.com [80.238.135.123]) by mx1.FreeBSD.org (Postfix) with SMTP id 3E5CD43EC2 for ; Fri, 27 Dec 2002 14:53:24 -0800 (PST) (envelope-from root@z.infxa.com) Received: (qmail 894 invoked by uid 0); 27 Dec 2002 22:53:18 -0000 Message-Id: <20021227225318.893.qmail@z.infxa.com> Date: 27 Dec 2002 22:53:18 -0000 From: Manuel Kasper Reply-To: Manuel Kasper To: FreeBSD-gnats-submit@FreeBSD.org Cc: mk@neon1.net X-Send-Pr-Version: 3.113 Subject: kern/46564: IPFilter and IPFW processing order is not sensible> Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 46564 >Category: kern >Synopsis: IPFilter and IPFW processing order is not sensible> >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Dec 27 15:00:19 PST 2002 >Closed-Date: >Last-Modified: >Originator: Manuel Kasper >Release: FreeBSD 4.x >Organization: >Environment: Any reasonably recent release of FreeBSD with both ipfilter and ipfw compiled into the kernel (or loaded as modules at the same time). >Description: When both ipfilter and ipfw are loaded, incoming/outgoing packets are checked in the following order: incoming: -> ipfw -> ipnat -> ipfilter -> outgoing: -> ipfw -> ipfilter -> ipnat -> This does not make sense - if ipfw is checked first for incoming packets, then it should be checked last for outgoing packets, or vice versa. This applies especially when using ipnat: incoming packets will be seen in ipfw with an un-NAT-ed public destination IP address, while outgoing packets will have an internal IP address as their source. Together with ipnat, this also breaks ipfw's keep-state feature, as it won't see the same source/destination tuplet for incoming and outgoing packets belonging to the same connection. >How-To-Repeat: Use both ipfilter and ipfw at the same time and observe the order in which they get checked for incoming and outgoing packets (try using ipnat, too). >Fix: My suggestion is to reverse the processing order in sys/netinet/ip_output.c so ipfw gets checked before ipfilter. That would at least provide consistent behaviour. An even better solution would be to make the processing order configurable, preferably with a sysctl. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message