From owner-freebsd-bugs  Sat Oct  4 01:10:04 1997
Return-Path: <owner-freebsd-bugs>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id BAA05528
          for bugs-outgoing; Sat, 4 Oct 1997 01:10:04 -0700 (PDT)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id BAA05510;
          Sat, 4 Oct 1997 01:10:02 -0700 (PDT)
Resent-Date: Sat, 4 Oct 1997 01:10:02 -0700 (PDT)
Resent-Message-Id: <199710040810.BAA05510@hub.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, muir@ping.idiom.com
Received: from ping.idiom.com (idiom-frVT1-gw.sf.tlg.net [140.174.37.22] (may be forged))
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id BAA05026
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 4 Oct 1997 01:00:30 -0700 (PDT)
Received: (from muir@localhost)
	by ping.idiom.com (8.8.5/8.8.5) id BAA12414;
	Sat, 4 Oct 1997 01:00:25 -0700 (PDT)
Message-Id: <199710040800.BAA12414@ping.idiom.com>
Date: Sat, 4 Oct 1997 01:00:25 -0700 (PDT)
From: David Sharnoff <muir@ping.idiom.com>
Reply-To: muir@ping.idiom.com
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: kern/4687: ipfw accept ignored.  
Sender: owner-freebsd-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         4687
>Category:       kern
>Synopsis:       ipfw accept ignored
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct  4 01:10:01 PDT 1997
>Last-Modified:
>Originator:     David Sharnoff
>Organization:
Idiom Consutling
>Release:        FreeBSD 2.2.2-RELEASE i386
>Environment:

	A router with lots of rules.  I'll send 'em to anyone 
	who is interested. 

	The router is running FreeBSD 2.2.2 RELEASE

>Description:

	I have a rule that passes a packet.  I can tell that it
	passes the packet because the counter goes up by one 
	whenever a packet goes by.

	I have another rule that rejects packets. 

	Both rules are firing on the same packet.

	% ipfw -a list | grep 111
	13000         24       2016 allow udp from 209.66.121.0/27 to 140.174.82.0/26 111 in via ethb17
	13000          0          0 allow udp from 140.174.82.32/27 to 140.174.82.32/27 111 in via ep0
	13000          0          0 allow tcp from 140.174.82.0/27 to 140.174.82.0/26 111 in via fxp0
	13000          0          0 allow udp from 140.174.82.0/27 to 140.174.82.0/27 111 in via fxp0
	13000         24       2016 deny log udp from any to 140.174.82.0/26 111
	13500          0          0 allow tcp from 140.174.82.32/27 to 140.174.82.0/26 111 in via ep0
	13500          0          0 deny log tcp from any to 140.174.82.0/26 111

	I've renumbered the rules in many ways.  It behaves the same
	if both rules (with the 24 2016 count) have the same number or
	different numbers.

>How-To-Repeat:

	Duplicate the above rules.  Send packets.

>Fix:
	

>Audit-Trail:
>Unformatted: