From owner-freebsd-ipfw@FreeBSD.ORG  Thu Mar 23 12:03:40 2006
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: FreeBSD-ipfw@freebsd.org
Delivered-To: FreeBSD-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A226116A400
	for <FreeBSD-ipfw@freebsd.org>; Thu, 23 Mar 2006 12:03:40 +0000 (UTC)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from postman.atlantis.dp.ua (postman.atlantis.dp.ua [193.108.47.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8BC7943D69
	for <FreeBSD-ipfw@freebsd.org>; Thu, 23 Mar 2006 12:03:23 +0000 (GMT)
	(envelope-from dmitry@atlantis.dp.ua)
Received: from smtp.atlantis.dp.ua (smtp.atlantis.dp.ua [193.108.46.231])
	by postman.atlantis.dp.ua (8.13.1/8.13.1) with ESMTP id k2NC3K0B082391
	for <FreeBSD-ipfw@freebsd.org>; Thu, 23 Mar 2006 14:03:20 +0200 (EET)
	(envelope-from dmitry@atlantis.dp.ua)
Date: Thu, 23 Mar 2006 14:03:20 +0200 (EET)
From: Dmitry Pryanishnikov <dmitry@atlantis.dp.ua>
To: FreeBSD-ipfw@freebsd.org
Message-ID: <20060323133729.D63213@atlantis.atlantis.dp.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: 
Subject: IPFW1->2 regression: "in/out/via any" ignored
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Mar 2006 12:03:40 -0000


Hello!

  I've found a serious regression during the IPFW1->2 transition. I'm using
"recv any" construction to match transit packets only. Manpage ipfw(8) clearly
says:

      recv | xmit | via {ifX | if* | ipno | any}
              Matches packets received, transmitted or going through, respec-
              tively, the interface specified by exact name (ifX), by device
              name (if*), by IP address, or through some interface.
...........................................^^^^^^^^^^^^^^^^^^^^^^

              A packet may not have a receive or transmit interface: packets
              originating from the local host have no receive interface, while
              packets destined for the local host have no transmit interface.

So the following rule must not match locally-originated packets, thus matching
only transit ones:

00001  0     0 count ip from any to any out recv any

However, after transition to IPFW2 (RELENG_4, also have tried RELENG_6, 
CURRENT - results are the same) part "recv any" just gets ignored, and
rules starts to match all outgoing packets, not just transit ones:

root@test3# ipfw add 1 count ip from any to any out recv any
00001 count ip from any to any out
root@test3# ipfw show
00001   7  1932 count ip from any to any out

I've searched "ipfw any" context in our PR database and didn't find anything.
Is it known issue? Does somebody work on it?


Sincerely, Dmitry
-- 
Atlantis ISP, System Administrator
e-mail:  dmitry@atlantis.dp.ua
nic-hdl: LYNX-RIPE