Bug 188543

Summary: [ipfw] ipfw option `in` is not working on FreeBSD10
Product: Base System Reporter: bycn82
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description bycn82 2014-04-13 07:10:00 UTC 
according to the man page, the rule option `in|out` are still supported
in FreeBSD10. But somehow the rule with in did not match anything in my
case.

How-To-Repeat: root@FB10:~ # ipfw -f flush
Flushed all rules.
//Create rules <---------------------------------
root@FB10:~ # ipfw add count all from any to any MAC any any in via em0
00100 count ip from any to any MAC any any in via em0
root@FB10:~ # ipfw add count all from any to any MAC any any via em0
00200 count ip from any to any MAC any any via em0
//Check counters<-----------------------------------
root@FB10:~ # ipfw show
00100    0      0 count ip from any to any MAC any any in via em0 
00200   26   2232 count ip from any to any MAC any any via em0
65535 3453 293448 allow ip from any to any
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2014-04-16 02:40:14 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-ipfw

Over to maintainer(s).
Comment 2 lhmwzy 2014-04-16 03:33:34 UTC 
I have tested under 10.0 and the  count is alwayls 0.
#sysctl -a|grep ipfw
net.link.ether.ipfw:1

under 8.4 and 9.2,the count is correct.
Comment 3 lhmwzy 2014-04-16 14:12:42 UTC 
Under 10.0

00100 0 0 count ip from any to any MAC any any in via em0
 00200 0 0 count ip from any to any MAC any 00:0c:29:f4:d8:75 in via em0
 00400 0 0 count ip from any to any MAC any 00:0c:29:f4:d8:75 in

these rules's count are 0

 00300 2999 1089504 count ip from any to any MAC any 00:0c:29:f4:d8:75
 00500 2959 287441 count ip from any to any out
 00600 812 113255 count ip from any to any in
 00700 45 8952 count ip from any to any MAC any 00:0c:29:f4:d8:75 out

 These rules look like working normal
 00:0c:29:f4:d8:75 is MAC of my em0
Comment 4 Andrey V. Elsukov freebsd_committer freebsd_triage 2014-04-16 15:19:42 UTC 
Responsible Changed
From-To: freebsd-ipfw->ae

Take it.
Comment 5 dfilter service freebsd_committer freebsd_triage 2014-04-16 15:37:15 UTC 
Author: ae
Date: Wed Apr 16 14:37:11 2014
New Revision: 264540
URL: http://svnweb.freebsd.org/changeset/base/264540

Log:
  Set oif only for outgoing packets.
  
  PR:		188543
  MFC after:	1 week
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netpfil/ipfw/ip_fw_pfil.c

Modified: head/sys/netpfil/ipfw/ip_fw_pfil.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_pfil.c	Wed Apr 16 12:29:45 2014	(r264539)
+++ head/sys/netpfil/ipfw/ip_fw_pfil.c	Wed Apr 16 14:37:11 2014	(r264540)
@@ -334,7 +334,7 @@ ipfw_check_frame(void *arg, struct mbuf 
 	m_adj(m, ETHER_HDR_LEN);	/* strip ethernet header */
 
 	args.m = m;		/* the packet we are looking at		*/
-	args.oif = dst;		/* destination, if any			*/
+	args.oif = dir == PFIL_OUT ? dst: NULL;	/* destination, if any	*/
 	args.next_hop = NULL;	/* we do not support forward yet	*/
 	args.next_hop6 = NULL;	/* we do not support forward yet	*/
 	args.eh = &save_eh;	/* MAC header for bridged/MAC packets	*/
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 6 Andrey V. Elsukov freebsd_committer freebsd_triage 2014-04-16 15:41:09 UTC 
State Changed
From-To: open->patched

Patched in head/.
Comment 7 lhmwzy 2014-04-17 01:14:01 UTC 
Tks for patch.
Tested and worked.
Comment 8 bycn82 2014-04-18 18:51:29 UTC 
I read the source code because of this bug, And I got some comments 
though maybe here is not a proper way.
1.If we make it modular,extendable,then we can far-see that more 
developers will contribute their effort and make it more powerful than 
current status.
2.every hook should have it's own firewall rule table, it can improve 
the performance though it is not that significant.
3.the rules are no need to be so semantic in my opinion,because its 
users are professional.I admit it is not important.
I am going to refactor it and hope more people will join me and make it 
an alternative version of ipfw.
Comment 9 Mark Knight 2014-04-19 19:50:30 UTC 
This bug is a nasty security regression. Defiantly something to consider
for the FreeBSD 10 errata and potentially even a security advisory IMHO.

-- 
Mark Knight
Comment 10 dfilter service freebsd_committer freebsd_triage 2014-04-23 10:56:21 UTC 
Author: ae
Date: Wed Apr 23 09:56:17 2014
New Revision: 264813
URL: http://svnweb.freebsd.org/changeset/base/264813

Log:
  MFC r264540:
    Set oif only for outgoing packets.
  
    PR:		188543

Modified:
  stable/10/sys/netpfil/ipfw/ip_fw_pfil.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/netpfil/ipfw/ip_fw_pfil.c
==============================================================================
--- stable/10/sys/netpfil/ipfw/ip_fw_pfil.c	Wed Apr 23 09:32:33 2014	(r264812)
+++ stable/10/sys/netpfil/ipfw/ip_fw_pfil.c	Wed Apr 23 09:56:17 2014	(r264813)
@@ -334,7 +334,7 @@ ipfw_check_frame(void *arg, struct mbuf 
 	m_adj(m, ETHER_HDR_LEN);	/* strip ethernet header */
 
 	args.m = m;		/* the packet we are looking at		*/
-	args.oif = dst;		/* destination, if any			*/
+	args.oif = dir == PFIL_OUT ? dst: NULL;	/* destination, if any	*/
 	args.next_hop = NULL;	/* we do not support forward yet	*/
 	args.next_hop6 = NULL;	/* we do not support forward yet	*/
 	args.eh = &save_eh;	/* MAC header for bridged/MAC packets	*/
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 11 Andrey V. Elsukov freebsd_committer freebsd_triage 2014-04-23 10:57:42 UTC 
State Changed
From-To: patched->closed

Merged to stable/10. Thanks!