From owner-freebsd-bugs@FreeBSD.ORG  Fri Jun 11 20:50:02 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2559D1065674
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 11 Jun 2010 20:50:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (unknown [IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id DDD318FC1C
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 11 Jun 2010 20:50:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o5BKo1of021769
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 11 Jun 2010 20:50:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o5BKo1L4021768;
	Fri, 11 Jun 2010 20:50:01 GMT (envelope-from gnats)
Resent-Date: Fri, 11 Jun 2010 20:50:01 GMT
Resent-Message-Id: <201006112050.o5BKo1L4021768@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dmitry Pryanishnikov <lynx.ripe@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 69936106568F
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri, 11 Jun 2010 20:40:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id C9AA68FC21
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri, 11 Jun 2010 20:40:20 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o5BKeKr5066729
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Jun 2010 20:40:20 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o5BKeKqI066727;
	Fri, 11 Jun 2010 20:40:20 GMT (envelope-from nobody)
Message-Id: <201006112040.o5BKeKqI066727@www.freebsd.org>
Date: Fri, 11 Jun 2010 20:40:20 GMT
From: Dmitry Pryanishnikov <lynx.ripe@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/147798: ipfw skipto skips over the complex rule
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 20:50:02 -0000


>Number:         147798
>Category:       kern
>Synopsis:       ipfw skipto skips over the complex rule
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 11 20:50:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Pryanishnikov
>Release:        RELENG_8
>Organization:
Home
>Environment:
FreeBSD lynx.homenet 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #0: Fri Jun 11 21:59:46 EEST 2010     dmitry@lynx.homenet:/databig/obj/databig/ftp/RELENG_8/src/sys/lynx  i386

>Description:
In the following pared-down ipfw ruleset (yes, it's complete):

25150  208 22046 skipto 25199 ip from any to any
30410    0     0 nat 1 ip from not 192.168.1.0/24 to not table(1) out via em0
30610    0     0 nat 1 ip from not table(1) to 192.168.1.2 in
65000  372 38232 allow ip from any to any
65535 1178 53032 deny ip from any to any

packets from 192.168.251.1 fail to match against the rule number 30410 (despite being directed to IP absent in table(1) via em0. IP-addresses 192.168.1.2 and 192.168.251.1 are local; nat 1 is configured as "nat 1 config ip 192.168.1.2", 
table 1 contains non-globally routable networks:

0.0.0.0/8 0
10.0.0.0/8 0
169.254.0.0/16 0
172.16.0.0/12 0
192.0.2.0/24 0
192.168.0.0/16 0
224.0.0.0/4 0
240.0.0.0/4 0

However, adding dummy 'count' rule between 'skipto' and 'nat' works around the problem:

25150  303 31614 skipto 25199 ip from any to any
26000   16  1268 count ip from any to any
30410    7   588 nat 1 ip from not 192.168.1.0/24 to not table(1) out via em0
30610    7   588 nat 1 ip from not table(1) to 192.168.1.2 in
65000  467 47800 allow ip from any to any
65535 1178 53032 deny ip from any to any


Note that simpicated forms of the rule 30410 (e.g. nat 1 ip from 192.168.251.1 to not table(1) out via em0) don't become skipped over - only form shown in the first ruleset does.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: