Bug 27572

Summary: ipfw(8) manpage does not clearly state check-state rule behavior
Product: Documentation Reporter: avn <avn>
Component: Books & ArticlesAssignee: Yar Tikhiy <yar>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description avn 2001-05-23 14:30:03 UTC 
	manpage for ipfw(8) deiscribes behavior of check-state rule as
	'if packet matches, the search terminates'. It should clearly state
	that in case of match the parent rule action will be taken to this
	packet.

How-To-Repeat: 	it is a doc-update request
Comment 1 ru freebsd_committer freebsd_triage 2001-05-23 14:34:02 UTC 
Responsible Changed
From-To: freebsd-doc->luigi

Let Luigi handle this.
Comment 2 ru freebsd_committer freebsd_triage 2001-05-24 08:25:41 UTC 
On Thu, May 24, 2001 at 11:17:06AM +0400, Alexey V. Neyman wrote:
> Please check the following patch against ipfw.8
> 
> Ruslan, as an -mdoc policemeister, could you check if I broke
> some laws? :)
> 
Yes, you introduced what we call "hard sentence breaks".
Each new sentence should start from the new line.

> Luigi, as far as I remember (correct me if I'm wrong), 'divert' rule does
> not terminate the search but reinject altered packet from the next rule
> number - so I updated 'the search terminates' string there.
> 
This is totally wrong.  `divert' rule terminates the search, and "diverts"
the packet to the specified port, with some "glue" supplied to the application
so that if, and only if, the application writes the (possibly modified) packet
back to the "divert" socket with the same "glue" data (as specified in the
divert(4) manpage), it is passed again to the ipfw starting with the rule
whose number is greater that the "glue" data.  That's the way natd(8) works.

> Also it seems to me that ipfirewall(4) is more than seriously outdated :=\
> It does not match ip_fw.h in many places. It says that 'tee' is
> unimplemented. Ruslan, Luigi, I'm not that good in -mdoc, if I try to
> sync it up in plain text and send it for review - will you do the rest?
> 
Yes.

> --- /usr/src/sbin/ipfw/ipfw.8	Thu May  3 15:46:00 2001
> +++ ipfw.8	Thu May 24 11:13:43 2001
> @@ -345,9 +345,10 @@
>  The search continues with the next rule.
>  .It Cm check-state
>  Checks the packet against the dynamic ruleset.
> -If a match is found then the search terminates, otherwise
> -we move to the next rule.
> -If no
> +If a match is found then the search terminates and the action
> +is inherited from appropriate static
> +.Cm keep-state
> +rule, otherwise we move to the next rule. If no
                                           ^^ This is the hard break.

For me, "if the match is found" phrase implies the action is taken
from the matched (dynamic) rule.

>  .Cm check-state
>  rule is found, the dynamic ruleset is checked at the first
>  .Cm keep-state
> @@ -357,7 +358,8 @@
>  .Xr divert 4
>  socket bound to port
>  .Ar port .
> -The search terminates.
> +Diverted packet is reinjected into firewall from the next rule number
> +(not to the next rule if there are several with the same number).
> 
As I said, this is technically wrong.


Cheers,
-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age
Comment 3 avn 2001-05-24 09:11:49 UTC 
On Thu, 24 May 2001, Ruslan Ermilov wrote:
>On Thu, May 24, 2001 at 11:17:06AM +0400, Alexey V. Neyman wrote:
>> Please check the following patch against ipfw.8
>>
>> Ruslan, as an -mdoc policemeister, could you check if I broke
>> some laws? :)
>Yes, you introduced what we call "hard sentence breaks".
>Each new sentence should start from the new line.

Corrected patch below.

>This is totally wrong.  `divert' rule terminates the search, and "diverts"
>the packet to the specified port, with some "glue" supplied to the application
>so that if, and only if, the application writes the (possibly modified) packet
>back to the "divert" socket with the same "glue" data (as specified in the
>divert(4) manpage), it is passed again to the ipfw starting with the rule
>whose number is greater that the "glue" data.  That's the way natd(8) works.

Well, let people sink in depths of divert(4) :)

Regards,
Alexey.

--- /usr/src/sbin/ipfw/ipfw.8	Thu May  3 15:46:00 2001
+++ ipfw.8	Thu May 24 12:04:43 2001
@@ -345,8 +345,10 @@
 The search continues with the next rule.
 .It Cm check-state
 Checks the packet against the dynamic ruleset.
-If a match is found then the search terminates, otherwise
-we move to the next rule.
+If a match is found then the search terminates and the action
+is inherited from appropriate static
+.Cm keep-state
+rule, otherwise we move to the next rule.
 If no
 .Cm check-state
 rule is found, the dynamic ruleset is checked at the first
Comment 4 Yar Tikhiy freebsd_committer freebsd_triage 2002-01-02 20:26:20 UTC 
State Changed
From-To: open->closed

The proposed patch doesn't add any clarity. 
Dynamic rules are rather sophisticated, so a user 
should refer to the EXAMPLES section to understand them.
Comment 5 Yar Tikhiy freebsd_committer freebsd_triage 2002-01-02 20:26:20 UTC 
Responsible Changed
From-To: luigi->yar

Luigi authorized me to take care of users' suggestions 
to the ipfw(8) page. 
.