Bug 73129

Summary: [patch] IPFW misbehaviour in RELENG_5
Product: Base System Reporter: Vladimir Ivanov <wawa>
Component: kernAssignee: Andre Oppermann <andre>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 5.3-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Vladimir Ivanov 2004-10-25 17:30:31 UTC 
	IPFW does not forward packets which has dst-addr from directly connected network.

How-To-Repeat: 	there are three interfaces on router:

vlan3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 213.180.192.168 netmask 0xfffffff0 broadcast 213.180.192.175
        ether 00:30:48:29:e9:62
        media: Ethernet 1000baseTX (1000baseTX <full-duplex>)
        status: active
        vlan: 3 parent interface: em0
vlan159: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 213.180.200.254 netmask 0xffffff00 broadcast 213.180.200.255
        ether 00:30:48:29:e9:62
        media: Ethernet 1000baseTX (1000baseTX <full-duplex>)
        status: active
        vlan: 159 parent interface: em0
vlan169: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 213.180.218.254 netmask 0xffffff00 broadcast 213.180.218.255
        ether 00:30:48:29:e9:62
        media: Ethernet 1000baseTX (1000baseTX <full-duplex>)
        status: active
        vlan: 169 parent interface: em0

Firewall:
	fwd 213.180.192.162 tcp from 213.180.200.32/28 to 213.180.218.0/24 in via vlan159
	allow ip from any to any

The very first firewall command does not forward packets et all. Though it increments counters
I've found a strange piece of code in the module ip_route.c. The problem may be fixed by removing a couple of lines.
I'm not sure whether it is a valid solution cause code is pretty complicated. Author's comments are desirable :-)
Comment 1 Maxim Konovalov 2004-10-25 17:57:34 UTC 
Haven't checked the code yet but this PR sounds similar to kern/71910.
Could you please check the patch in kern/71910 solves your problem?
TIA.

-- 
Maxim Konovalov
Comment 2 Vladimir Ivanov 2004-10-25 18:41:23 UTC 
Maxim Konovalov wrote:

>Haven't checked the code yet but this PR sounds similar to kern/71910.
>Could you please check the patch in kern/71910 solves your problem?
>TIA.
>
>  
>
They've got trouble with locally originated traffic that's why they've 
removed in_localip(srcip) check.
I've got problem with intercepting traffic which flows to directly 
connected subnet (ip_localaddr(dstip) check).

The idea of this strange "if" operator is absolutly unclear for me. The 
only meaning which I can see: "disable forwarding traffic which are 
either locally originated or originally has  been directed to connected 
subnets". I can't understand why.
That's why I've removed both checks.

But I still suppose there were some reason to write this code.
Comment 3 Gleb Smirnoff freebsd_committer freebsd_triage 2004-12-02 13:21:14 UTC 
Responsible Changed
From-To: freebsd-bugs->andre

These checks (!in_localip(ip->ip_src) && !in_localaddr(ip->ip_dst)) were 
introduced with PFIL_HOOKS conversion by Andre.
Comment 4 Andre Oppermann freebsd_committer freebsd_triage 2005-09-10 08:49:44 UTC 
State Changed
From-To: open->closed

See kern/71910 for solution.