Date: Thu, 23 Mar 2006 14:03:20 +0200 (EET) From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua> To: FreeBSD-ipfw@freebsd.org Subject: IPFW1->2 regression: "in/out/via any" ignored Message-ID: <20060323133729.D63213@atlantis.atlantis.dp.ua>
next in thread | raw e-mail | index | archive | help
Hello!
I've found a serious regression during the IPFW1->2 transition. I'm using
"recv any" construction to match transit packets only. Manpage ipfw(8) clearly
says:
recv | xmit | via {ifX | if* | ipno | any}
Matches packets received, transmitted or going through, respec-
tively, the interface specified by exact name (ifX), by device
name (if*), by IP address, or through some interface.
...........................................^^^^^^^^^^^^^^^^^^^^^^
A packet may not have a receive or transmit interface: packets
originating from the local host have no receive interface, while
packets destined for the local host have no transmit interface.
So the following rule must not match locally-originated packets, thus matching
only transit ones:
00001 0 0 count ip from any to any out recv any
However, after transition to IPFW2 (RELENG_4, also have tried RELENG_6,
CURRENT - results are the same) part "recv any" just gets ignored, and
rules starts to match all outgoing packets, not just transit ones:
root@test3# ipfw add 1 count ip from any to any out recv any
00001 count ip from any to any out
root@test3# ipfw show
00001 7 1932 count ip from any to any out
I've searched "ipfw any" context in our PR database and didn't find anything.
Is it known issue? Does somebody work on it?
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060323133729.D63213>