Bug 245381

Summary: ipfw protocol or-block parsing bug when ip protocol is first in list
Product: Base System Reporter: Jim B. <jpb>
Component: kernAssignee: freebsd-ipfw (Nobody) <ipfw>
Status: New ---    
Severity: Affects Some People CC: ae, jpb, nc
Priority: ---    
Version: 12.1-RELEASE   
Hardware: amd64   
OS: Any   

Description Jim B. 2020-04-05 18:49:58 UTC 
ipfw cannot parse an or-block when protocol 'ip' is first in the list.

To reproduce:

# ipfw flush
Are you sure? [yn] y

Flushed all rules.

# Add rule with or-block without 'ip' protocol - success
# ipfw add 1000 deny \{ igmp or ggp or eigrp \} from any to me 
01000 deny { igmp or ggp or eigrp } from any to me

# Try to add or-block with 'ip' protocol first in list - error
# ipfw add 1100 deny \{ ip or igmp or ggp or eigrp \} from any to me
ipfw: invalid OR block

# Reorder or-block so 'ip' protocol is not first in list - success
# ipfw add 1200 deny \{ igmp or ip or ggp or eigrp \} from any to me
01200 deny { igmp or ggp or eigrp } from any to me
# 

Note also that the ip protocol does not show up in the last accepted rule.
Comment 1 Neel Chauhan freebsd_committer freebsd_triage 2020-04-10 01:08:05 UTC 
I am interested in working on this ticket.
Comment 2 Neel Chauhan freebsd_committer freebsd_triage 2020-04-10 03:35:44 UTC 
It appears that even on commands like:

# ipfw add 1 deny \{ igmp or ip or ggp or eigrp \} from any to me
00001 deny { igmp or ggp or eigrp } from any to me

It doesn't add ip. I tried this on my laptop and pings went through.

However, this works:

# ipfw add 1 deny \{ ipv4 or igmp or ggp or eigrp \} from any to me
00001 deny { ip4 or igmp or ggp or eigrp } from any to me

The problem is that the command for just "ip" in the kernel/tool is blank.

Theoretically, this problem is solvable but why would you want to block both IPv4 AND IPv6?
Comment 3 Jim B. 2020-04-20 01:59:10 UTC 
(In reply to Neel Chauhan from comment #2)

The 'deny' action keyword is immaterial to the bug report.

You correctly noted that both "ip4" and "ipv4" work as the first element in the list. 

While this is a workaround, "ip4" and "ipv4" do not exist as valid protocol names in /etc/protocols.

I suggest that the code be fixed to accommodate "ip" as an acceptable value even if it is the first element in the list.
Comment 4 Andrey V. Elsukov freebsd_committer freebsd_triage 2020-07-27 14:47:08 UTC 
Using "ip" in the OR block with other protocols is useless, because it matches to all protocols and the result of such OR block will be always true.