bin/102422: ipfw & kernel problems where firewall rules aren't
interpreted correctly
Stephen E. Halpin
seh-10lzx4 at mail.quadrizen.com
Wed Aug 30 05:40:22 UTC 2006
The following reply was made to PR bin/102422; it has been noted by GNATS.
From: Stephen E. Halpin <seh-10lzx4 at mail.quadrizen.com>
To: Stephen E. Halpin <seh-10lzx4 at mail.quadrizen.com>
Cc: Andrey V. Elsukov <bu7cher at yandex.ru>,
bug-followup at FreeBSD.org,
Oleg Bulyzhin <oleg at FreeBSD.org>,
Gleb Smirnoff <glebius at FreeBSD.org>,
Luigi Rizzo <rizzo at icir.org>
Subject: Re: bin/102422: ipfw & kernel problems where firewall rules aren't interpreted correctly
Date: Wed, 30 Aug 2006 01:44:01 -0400
Erf. I've since patched in the actual diffs for PR 91245 into a
clean install of 6.1-RELEASE, and it now thinks "me6" is a hostname
which it fails to process and dies. An example is:
ipfw add 1 deny ip6 from any to me6
ipfw: hostname ``me6'' unknown
There was a precedence issue which was addressed in MAIN, where the
'if' should not be taken if 'ret' is not NULL. 1.76.2.10 off
RELENG_6 has:
if ((ret == NULL) && proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
!inet_pton(AF_INET6, host, &a))
1.96 off MAIN has:
if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
!inet_pton(AF_INET6, host, &a)))
Note that these should occur in add_src() and add_dst(). When this
is added to the patches in 1.76.2.10, things appear to work. The page:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/ipfw2.c
doesn't appear to have another RELENG_6 checkin since 1.76.2.10, so
if possible this should be fixed there with the other changes you've
developed.
-Steve
On Aug 29, 2006, at 5:33 AM, Stephen E. Halpin wrote:
>
> On Aug 28, 2006, at 6:26 AM, Andrey V. Elsukov wrote:
>
>> Stephen E. Halpin wrote:
>>> processing, and it worked fine. I still have a question about PR
>>> 91245, as when I went to the following page:
>>> http://www.freebsd.org/cgi/cvsweb.cgi/src/sbin/ipfw/
>>> and it looks like the last version of ipfw2.c is 1.96 on the MAIN
>>> branch, and the changes in PR 91245 are not there. It would be
>>> awesome if all three fixes could make it into the 6.2 release!
>>
>> This PR was closed by rev. 1.88 in CURRENT, and rev. 1.76.2.10 in
>> RELENG_6, and will be in 6.2-RELEASE. But i don't know about this
>> PR. Gleb, Oleg - any comments? :)
>
> Sorry, this was a misunderstanding on my part. The diffs in the PR
> (which is what I was looking for) are different from what's in the
> actual fix, which was checked in to the revisions you mention. At
> least I know where to look next time :-/
>
> -Steve
>
>> --
>> WBR, Andrey V. Elsukov
>
More information about the freebsd-ipfw
mailing list