Date: Tue, 2 Aug 2005 14:32:11 -0700 From: Luigi Rizzo <rizzo@icir.org> To: freebsd-ipfw@freebsd.org, vladone <vladone@spaingsm.com> Subject: Re: Another bug in IPFW@ ...? Message-ID: <20050802143211.A74003@xorpc.icir.org> In-Reply-To: <200508021746.j72Hk6Wq006760@lurza.secnetix.de>; from olli@lurza.secnetix.de on Tue, Aug 02, 2005 at 07:46:06PM %2B0200 References: <1881102745.20050802194826@spaingsm.com> <200508021746.j72Hk6Wq006760@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
ok, so the problem is the following: when i implemented ipfw2
i thought that 'recv any' or 'xmit any' were effectively NOPs
so the parser erroneously removes them, together with any 'not' prefix
(which is processed before).
To fix this one should
- patch the function ipfw2.c:fill_iface()
so that an argument of 'any' puts some special pattern
in the ipfw_insn_if (e.g. an * in the first char of name[]
should suffice as i doubt it is a legal interface name).
cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
/* Parse the interface or address */
if (!strcmp(arg, "any"))
- cmd->o.len = 0; /* effectively ignore this command */
+ cmd->name[0] = '*'; /* any interface */
else if (!isdigit(*arg)) {
- patch the O_XMIT... case in ipfw2.c:show_ipfw() to print
the special value above as 'any';
else /* if (cmd->opcode == O_VIA) */
s = "via";
if (cmdif->name[0] == '\0')
printf(" %s %s", s,
inet_ntoa(cmdif->p.ip));
+ else if (cmdif->name[0] == '*')
+ printf(" %s any", s);
else if (cmdif->p.unit == -1)
printf(" %s %s*", s, cmdif->name);
- patch sys/netinet/ip_fw2.c:iface_match() so that a '*'
in the first char of name[] and a non-null ifp returns 1;
if (ifp == NULL) /* no iface with this packet, match fails */
return 0;
/* Check by name or by IP address */
if (cmd->name[0] != '\0') { /* match by name */
+ if (cmd->name[0] == '*')
+ return 1;
/* Check unit number (-1 is wildcard) */
if (cmd->p.unit != -1 && cmd->p.unit != ifp->if_unit)
return(0);
if you want to try, this should be all
cheers
luigi
On Tue, Aug 02, 2005 at 07:46:06PM +0200, Oliver Fromme wrote:
> vladone <vladone@spaingsm.com> wrote:
> > Please, explain more clearly, what u want to do?
>
> What exactly was unclear in my description?
>
> > P.S. looks very strange "out not recv any xmit"
>
> It's perfectly valid syntax according to ipfw(8).
>
> "out not recv any xmit dc0" consists of three options
> (i.e. match patterns):
>
> 1. "out" --> match only outgoing packets.
>
> 2. "not recv any" --> match packets that haven't been
> received through any interface (i.e. which originate
> from the local host). It's simply a negation of
> "recv any", see the ipfw(8) manpage.
>
> 3. "xmit dc0" --> match packets which are going to be
> transmitted through the dc0 interface.
>
> However, the problem is that the second option is being
> ignored, and I would like to know why, and how to work-
> around the bug.
>
> Best regards
> Oliver
>
> --
> Oliver Fromme, secnetix GmbH & Co KG, Marktplatz 29, 85567 Grafing
> Any opinions expressed in this message may be personal to the author
> and may not necessarily reflect the opinions of secnetix in any way.
>
> (On the statement print "42 monkeys" + "1 snake":) By the way,
> both perl and Python get this wrong. Perl gives 43 and Python
> gives "42 monkeys1 snake", when the answer is clearly "41 monkeys
> and 1 fat snake". -- Jim Fulton
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050802143211.A74003>