From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 5 06:50:01 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F199F16A4CE for ; Mon, 5 Apr 2004 06:50:01 -0700 (PDT) Received: from smtp.wan.no (smtp.wan.no [80.86.128.91]) by mx1.FreeBSD.org (Postfix) with SMTP id C0A9D43D41 for ; Mon, 5 Apr 2004 06:49:58 -0700 (PDT) (envelope-from sten.daniel.sorsdal@wan.no) Received: (qmail 13804 invoked from network); 5 Apr 2004 14:04:28 -0000 Received: from unknown (HELO exchange.wan.no) (10.30.1.52) by smtp.wan.no with SMTP; 5 Apr 2004 14:04:28 -0000 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0 Date: Mon, 5 Apr 2004 15:49:51 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Is this a bug? ifname[wildcard] matches other interfaces? thread-index: AcQbFN34HVSZlIPcSVe+bBGcLjxYag== From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= To: Subject: Is this a bug? ifname[wildcard] matches other interfaces? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Apr 2004 13:50:02 -0000 Hi I was led to belive that using ifname* (read: interface name + wildcard) = would work. Apparently the fxp* matches all, even the ones originating or destined = to tunX. A bug or did i misunderstand the man page? In ip_fw2.c ~@388 i read the following, which i -belive- skips name = comparison when=20 matching interface, am i understanding the code correctly? ... if (cmd->name[0] !=3D '\0') { /* match by name */ /* Check unit number (-1 is wildcard) */ if (cmd->p.unit !=3D -1 && cmd->p.unit !=3D = ifp->if_unit) return(0); /* Check name */ if (!strncmp(ifp->if_name, cmd->name, IFNAMSIZ)) return(1); } else { ... FreeBSD 4.9-RELEASE-p3 with IPFW2 as module, dummynet module loaded. 00200 796 233528 allow via lo0 // &! permit all via loopback interface 00201 159 13155 allow dst-port 53,22,80 00202 0 0 deny dst-port 135,137,138,139,445 00203 3897 293591 skipto 207 out // &! skip ahead for outgoing packets 00204 5565 405417 skipto 400 recv fxp* // &! received on main fxp* 00205 0 0 skipto 800 recv tun* // &! received on main tun* 00206 0 0 skipto 209 in // &! skip ahead for unhandled 00207 3897 293591 skipto 600 xmit fxp* // &! xmitted on main fxp* 00208 0 0 skipto 1000 xmit tun* // &! xmitted on main tun* 00209 0 0 allow // &! default for main main 00400 1733 89195 pipe 1000 { dst-port = 1214,6699,5190,4661-4665,6345-6350 or src-port = 1214,6699,5190,4661-4665,6345-6350 } 00401 3832 316222 allow // &! default for interfacegroup in_fxp 00600 1232 121000 deny not src-ip 80.x.x.0/24,80.x.x.0/29 out xmit fxp0 00601 0 0 pipe 1001 { dst-port = 1214,6699,5190,4661-4665,6345-6350 or src-port = 1214,6699,5190,4661-4665,6345-6350 } 00602 0 0 fwd 80.x.x.21 src-ip 80.x.x.22 out xmit fxp0 00603 2665 172591 allow // &! default for interfacegroup out_fxp 00800 0 0 pipe 2 recv tun0 // &! received on tun0 00801 0 0 pipe 3 recv tun1 // &! received on tun1 ... 01000 0 0 pipe 103 xmit tun0 // &! transmitted on tun0 01001 0 0 pipe 104 xmit tun1 // &! transmitted on tun1 ... _// Sten Daniel S=F8rsdal