From owner-freebsd-stable  Tue Oct  6 02:25:39 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA09994
          for freebsd-stable-outgoing; Tue, 6 Oct 1998 02:25:39 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA09870
          for <freebsd-stable@FreeBSD.ORG>; Tue, 6 Oct 1998 02:24:20 -0700 (PDT)
          (envelope-from luigi@labinfo.iet.unipi.it)
Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id IAA05814; Tue, 6 Oct 1998 08:21:47 +0100
From: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Message-Id: <199810060721.IAA05814@labinfo.iet.unipi.it>
Subject: Re: ipfw SkipTo behavior changed
To: jonny@jonny.eng.br (Joao Carlos Mendes Luis)
Date: Tue, 6 Oct 1998 08:21:46 +0100 (MET)
Cc: Jeff@Wagsky.com, freebsd-stable@FreeBSD.ORG
In-Reply-To: <199810051945.QAA26791@roma.coe.ufrj.br> from "Joao Carlos Mendes Luis" at Oct 5, 98 04:44:59 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> #define quoting(Jeff Kletsky)
> // In trying to resolve puzzling behavior on a "new" FreeBSD box
> // (2.2.7-STABLE, cvsup as of 980929), it appears that the behavior of the
> // SkipTo rules in ipfw/kernel have changed.  Previously a rule such as
> // 
> // 2200 skipto 3000 all from 127.0.0.1 to 127.0.0.1 recv lo0 in
> // 
> // would "skipto" the next-higher numbered rule in the list if 3000 did not
> // exist.  This build seems to require that a rule 3000 explicitly exist.  If
> // it does not exist, it proceeds as if rule 2200 is not matched.
> // 
> // Is this an "intentional" change in the firewall code?  If not, has a later
> // release changed back to the older behavior?
> 
> IIRC Luigi has changed this behaviour together with the DUMMYNET
> integration.  It was intentional, for code optimization.

Actually the change was not intentional, i just used == instead of ==
in find_next_rule() or so within ip_fw.c

The fix is really one char.

The reason i did not fixed (yet) the code myself is that i think
it is not that safe to rely on this feature in a security module
such as ipfw. But if people want me to revert the code to the
default behaviour i have no problems with that.

	cheers
	luigi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message