Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 13 Jan 2006 23:43:12 GMT
From:      Tijmen Ramakers <tijmen@tijmen.net>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/91777: ipfilter: wrong behaviour with skip rule inside a group with a 'quick' head
Message-ID:  <200601132343.k0DNhCZS071437@www.freebsd.org>
Resent-Message-ID: <200601132350.k0DNo6dC044099@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         91777
>Category:       kern
>Synopsis:       ipfilter: wrong behaviour with skip rule inside a group with a 'quick' head
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 13 23:50:06 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Tijmen Ramakers
>Release:        6.0-RELEASE
>Organization:
>Environment:
FreeBSD kitana.tijmen.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Nov 11 00:37:21 UTC 2005     root@kitana.tijmen.net:/usr/src/sys/i386/compile/KITANA  i386
              
>Description:
Inside a group of a rule set whose head rule uses the 'quick' option, a matching skip rule seems to end the processing of the group.

ipf was compiled into the kernel (not as a module) using the IPFILTER and IPFILTER_LOG options.

ipf -V output: 

ipf: IP Filter: v4.1.8 (416)
Kernel: IP Filter: v4.1.8
Running: yes
Log Flags: 0x20000000 = block
Default: block all, Logging: available
Active list: 1
              
Consider the following simple ruleset:

@0:1    block out quick on de0 head 100
@100:1  skip 1 out group 100
@100:2  block out quick group 100
@100:3  pass out quick group 100

Expected behaviour for an outbound packet on de0 would be:
1. rule @0:1 matches, branch into group 100
2. rule @100:1 matches, skip over @100:2 to @100:3
3. rule @100:3 matches, with the quick option

So, the packet should be passed. However, it is not. In the ipfmon logging you see that the packet gets blocked on rule @100:1, using ipfstat -honR you see that only rules @0:1 and @100:1 have matched.

However, if you leave out the 'quick' in @0:1, the rule does gets processed as expected. According to the ipf manpage and the "IP Filter FAQ", the 'quick' in the head rule is only relevant in case none of the group's rules match. 

I noticed this when after upgrading from 5.2.1 to 6.0, my firewall config didn't work anymore. Haven't seen any mention of this change in behaviour anywhere.




>How-To-Repeat:
See problem description. 


>Fix:
              
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601132343.k0DNhCZS071437>