Skip site navigation (1)Skip section navigation (2) 
Date:      27 Dec 2002 22:53:18 -0000
From:      Manuel Kasper <mk@neon1.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        mk@neon1.net
Subject:   kern/46564: IPFilter and IPFW processing order is not sensible>
Message-ID:  <20021227225318.893.qmail@z.infxa.com>
next in thread | raw e-mail | index | archive | help 

>Number:         46564
>Category:       kern
>Synopsis:       IPFilter and IPFW processing order is not sensible>
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec 27 15:00:19 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Manuel Kasper <mk@neon1.net>
>Release:        FreeBSD 4.x
>Organization:
>Environment:
Any reasonably recent release of FreeBSD with both ipfilter and ipfw
compiled into the kernel (or loaded as modules at the same time).
>Description:
When both ipfilter and ipfw are loaded, incoming/outgoing packets are
checked in the following order:

incoming:
-> ipfw -> ipnat -> ipfilter ->

outgoing:
-> ipfw -> ipfilter -> ipnat ->

This does not make sense - if ipfw is checked first for incoming packets,
then it should be checked last for outgoing packets, or vice versa. This
applies especially when using ipnat:
incoming packets will be seen in ipfw with an un-NAT-ed public destination
IP address, while outgoing packets will have an internal IP address as their
source. Together with ipnat, this also breaks ipfw's keep-state feature, as
it won't see the same source/destination tuplet for incoming and outgoing
packets belonging to the same connection.

>How-To-Repeat:
Use both ipfilter and ipfw at the same time and observe the order in which
they get checked for incoming and outgoing packets (try using ipnat, too).
>Fix:
My suggestion is to reverse the processing order in sys/netinet/ip_output.c
so ipfw gets checked before ipfilter. That would at least provide consistent
behaviour.
An even better solution would be to make the processing order configurable,
preferably with a sysctl.
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021227225318.893.qmail>