Date: Tue, 22 Apr 2003 11:12:56 +0300 (EEST) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: freebsd-net@freebsd.org Subject: Re: ipfw1 Message-ID: <20030422110553.R30692-100000@atlantis.atlantis.dp.ua> In-Reply-To: <20030421064302.A98117@xorpc.icir.org.lucky.freebsd.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello!
On Mon, 21 Apr 2003, Luigi Rizzo wrote:
> indeed, it looks like there is/has never been support in RELENG_4's ip_fw.c
> for "not me" -- the section of code below should change like this
> (untested -- check the polarity of the test):
>
> if (f->fw_flg & IP_FW_F_SME) {
> INADDR_TO_IFP(src_ip, tif);
> - if (tif == NULL)
> + if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVSRC) != 0))
> continue;
> }
> if (f->fw_flg & IP_FW_F_DME) {
> INADDR_TO_IFP(dst_ip, tif);
> - if (tif == NULL)
> + if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVDST) != 0))
> continue;
> }
>
Or, maybe, it would be better to just MFC your fix for this problem in 1.186
like in the following (patch against 1.131.2.39, minimal testing has been
done):
--- ip_fw.c.orig Mon Jan 20 04:23:07 2003
+++ ip_fw.c Tue Apr 22 10:16:20 2003
@@ -1250,24 +1250,22 @@
if ((f->fw_flg & IP_FW_F_FRAG) && offset == 0 )
continue;
+ /* If src-addr doesn't match, not this rule. */
if (f->fw_flg & IP_FW_F_SME) {
INADDR_TO_IFP(src_ip, tif);
- if (tif == NULL)
- continue;
- }
- if (f->fw_flg & IP_FW_F_DME) {
- INADDR_TO_IFP(dst_ip, tif);
- if (tif == NULL)
- continue;
- }
- /* If src-addr doesn't match, not this rule. */
- if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr
- & f->fw_smsk.s_addr) != f->fw_src.s_addr))
+ } else
+ (int)tif = f->fw_src.s_addr ==
+ (src_ip.s_addr & f->fw_smsk.s_addr);
+ if ( ((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ (tif == NULL) )
continue;
/* If dest-addr doesn't match, not this rule. */
- if (((f->fw_flg & IP_FW_F_INVDST) != 0) ^ ((dst_ip.s_addr
- & f->fw_dmsk.s_addr) != f->fw_dst.s_addr))
+ if (f->fw_flg & IP_FW_F_DME) {
+ INADDR_TO_IFP(dst_ip, tif);
+ } else
+ (int)tif = f->fw_dst.s_addr ==
+ (dst_ip.s_addr & f->fw_dmsk.s_addr);
+ if (((f->fw_flg & IP_FW_F_INVDST) != 0) ^ (tif == NULL) )
continue;
/* Interface check */
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030422110553.R30692-100000>