From owner-freebsd-net@FreeBSD.ORG Tue Apr 22 01:13:06 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BBCC37B401 for ; Tue, 22 Apr 2003 01:13:05 -0700 (PDT) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68BF143F93 for ; Tue, 22 Apr 2003 01:13:03 -0700 (PDT) (envelope-from dmitry@atlantis.dp.ua) Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231]) by smtp.atlantis.dp.ua (8.12.6p2/8.12.6) with ESMTP id h3M8CusH070469 for ; Tue, 22 Apr 2003 11:12:56 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Tue, 22 Apr 2003 11:12:56 +0300 (EEST) From: Dmitry Pryanishnikov To: freebsd-net@freebsd.org In-Reply-To: <20030421064302.A98117@xorpc.icir.org.lucky.freebsd.net> Message-ID: <20030422110553.R30692-100000@atlantis.atlantis.dp.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: ipfw1 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Apr 2003 08:13:06 -0000 Hello! On Mon, 21 Apr 2003, Luigi Rizzo wrote: > indeed, it looks like there is/has never been support in RELENG_4's ip_fw.c > for "not me" -- the section of code below should change like this > (untested -- check the polarity of the test): > > if (f->fw_flg & IP_FW_F_SME) { > INADDR_TO_IFP(src_ip, tif); > - if (tif == NULL) > + if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVSRC) != 0)) > continue; > } > if (f->fw_flg & IP_FW_F_DME) { > INADDR_TO_IFP(dst_ip, tif); > - if (tif == NULL) > + if ((tif == NULL) ^ ((f->fw_flg & IP_FW_F_INVDST) != 0)) > continue; > } > Or, maybe, it would be better to just MFC your fix for this problem in 1.186 like in the following (patch against 1.131.2.39, minimal testing has been done): --- ip_fw.c.orig Mon Jan 20 04:23:07 2003 +++ ip_fw.c Tue Apr 22 10:16:20 2003 @@ -1250,24 +1250,22 @@ if ((f->fw_flg & IP_FW_F_FRAG) && offset == 0 ) continue; + /* If src-addr doesn't match, not this rule. */ if (f->fw_flg & IP_FW_F_SME) { INADDR_TO_IFP(src_ip, tif); - if (tif == NULL) - continue; - } - if (f->fw_flg & IP_FW_F_DME) { - INADDR_TO_IFP(dst_ip, tif); - if (tif == NULL) - continue; - } - /* If src-addr doesn't match, not this rule. */ - if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr - & f->fw_smsk.s_addr) != f->fw_src.s_addr)) + } else + (int)tif = f->fw_src.s_addr == + (src_ip.s_addr & f->fw_smsk.s_addr); + if ( ((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ (tif == NULL) ) continue; /* If dest-addr doesn't match, not this rule. */ - if (((f->fw_flg & IP_FW_F_INVDST) != 0) ^ ((dst_ip.s_addr - & f->fw_dmsk.s_addr) != f->fw_dst.s_addr)) + if (f->fw_flg & IP_FW_F_DME) { + INADDR_TO_IFP(dst_ip, tif); + } else + (int)tif = f->fw_dst.s_addr == + (dst_ip.s_addr & f->fw_dmsk.s_addr); + if (((f->fw_flg & IP_FW_F_INVDST) != 0) ^ (tif == NULL) ) continue; /* Interface check */ Sincerely, Dmitry -- Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE