Summary: | ipfw protocol or-block parsing bug when ip protocol is first in list | ||
---|---|---|---|
Product: | Base System | Reporter: | Jim B. <jpb> |
Component: | kern | Assignee: | freebsd-ipfw (Nobody) <ipfw> |
Status: | New --- | ||
Severity: | Affects Some People | CC: | ae, jpb, nc |
Priority: | --- | ||
Version: | 12.1-RELEASE | ||
Hardware: | amd64 | ||
OS: | Any |
Description
Jim B.
2020-04-05 18:49:58 UTC
I am interested in working on this ticket. It appears that even on commands like: # ipfw add 1 deny \{ igmp or ip or ggp or eigrp \} from any to me 00001 deny { igmp or ggp or eigrp } from any to me It doesn't add ip. I tried this on my laptop and pings went through. However, this works: # ipfw add 1 deny \{ ipv4 or igmp or ggp or eigrp \} from any to me 00001 deny { ip4 or igmp or ggp or eigrp } from any to me The problem is that the command for just "ip" in the kernel/tool is blank. Theoretically, this problem is solvable but why would you want to block both IPv4 AND IPv6? (In reply to Neel Chauhan from comment #2) The 'deny' action keyword is immaterial to the bug report. You correctly noted that both "ip4" and "ipv4" work as the first element in the list. While this is a workaround, "ip4" and "ipv4" do not exist as valid protocol names in /etc/protocols. I suggest that the code be fixed to accommodate "ip" as an acceptable value even if it is the first element in the list. Using "ip" in the OR block with other protocols is useless, because it matches to all protocols and the result of such OR block will be always true. |