Bug 131817 - [ipfw] blocks layer2 packets that should not be blocked
Summary: [ipfw] blocks layer2 packets that should not be blocked
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 7.1-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ipfw (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-18 15:50 UTC by Eugene Grosbein
Modified: 2011-08-03 05:30 UTC (History)
0 users

See Also:

Attachments
arpreply.diff (493 bytes, patch)
2011-07-01 09:56 UTC, Andrey V. Elsukov 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eugene Grosbein 2009-02-18 15:50:00 UTC 
	
	The rule:

ipfw add 1000 deny ip from any to any out recv fxp0 xmit fxp0

	blocks outgoing ARP replys on the interface fxp0
	if sysctl net.link.ether.ipfw is set to 1.

	ARP reply is not transit packet received from fxp0 and
	must not be blocked in this case. This is serious bug
	and it exists in ipfw2 since RELENG_4.

Fix: 

Unknown.


Eugene Grosbein
How-To-Repeat: 	See above.
Comment 1 Gavin Atkinson freebsd_committer freebsd_triage 2009-02-18 21:01:17 UTC 
Responsible Changed
From-To: freebsd-bugs->freebsd-ipfw

Over to maintainer(s).  To submitter: FWIW, I agree that this 
does seem like incorrect behaviour.  I usually work around it 
with the following additional rule: 

ipfw add 10 allow ip from any to any layer2 mac-type arp
Comment 2 Andrey V. Elsukov freebsd_committer freebsd_triage 2011-07-01 09:56:14 UTC 
Hi, Eugene

can you test this patch?

-- 
WBR, Andrey V. Elsukov
Comment 3 Andrey V. Elsukov freebsd_committer freebsd_triage 2011-07-01 10:04:38 UTC 
State Changed
From-To: open->feedback

Feedback requested.
Comment 4 Eugene Grosbein 2011-07-03 22:12:46 UTC 
01.07.2011 16:04, ae@FreeBSD.org ÐÉÛÅÔ:
> Synopsis: [ipfw] blocks layer2 packets that should not be blocked
> 
> State-Changed-From-To: open->feedback
> State-Changed-By: ae
> State-Changed-When: Fri Jul 1 09:04:38 UTC 2011
> State-Changed-Why: 
> Feedback requested.
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=131817

Your patch works, thanks!

Eugene Grosbein
Comment 5 dfilter service freebsd_committer freebsd_triage 2011-07-04 06:48:00 UTC 
Author: ae
Date: Mon Jul  4 05:47:48 2011
New Revision: 223753
URL: http://svn.freebsd.org/changeset/base/223753

Log:
  ARP code reuses mbuf from ARP request to make a reply, but it does not
  reset rcvif to NULL. Since rcvif is not NULL, ipfw(4) supposes that ARP
  replies were received on specified interface.
  Reset rcvif to NULL for ARP replies to fix this issue.
  
  PR:		kern/131817
  Reviewed by:	glebius
  MFC after:	1 month

Modified:
  head/sys/netinet/if_ether.c

Modified: head/sys/netinet/if_ether.c
==============================================================================
--- head/sys/netinet/if_ether.c	Mon Jul  4 03:19:06 2011	(r223752)
+++ head/sys/netinet/if_ether.c	Mon Jul  4 05:47:48 2011	(r223753)
@@ -857,6 +857,7 @@ reply:
 	ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */
 	m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln);   
 	m->m_pkthdr.len = m->m_len;   
+	m->m_pkthdr.rcvif = NULL;
 	sa.sa_family = AF_ARP;
 	sa.sa_len = 2;
 	(*ifp->if_output)(ifp, m, &sa, NULL);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 6 Andrey V. Elsukov freebsd_committer freebsd_triage 2011-07-04 06:48:49 UTC 
State Changed
From-To: feedback->patched

Patched in head/. Thanks!
Comment 7 dfilter service freebsd_committer freebsd_triage 2011-08-03 05:28:06 UTC 
Author: ae
Date: Wed Aug  3 04:27:47 2011
New Revision: 224622
URL: http://svn.freebsd.org/changeset/base/224622

Log:
  MFC r223753:
    ARP code reuses mbuf from ARP request to make a reply, but it does not
    reset rcvif to NULL. Since rcvif is not NULL, ipfw(4) supposes that ARP
    replies were received on specified interface.
    Reset rcvif to NULL for ARP replies to fix this issue.
  
    PR:		kern/131817

Modified:
  stable/8/sys/netinet/if_ether.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/netinet/if_ether.c
==============================================================================
--- stable/8/sys/netinet/if_ether.c	Wed Aug  3 03:52:15 2011	(r224621)
+++ stable/8/sys/netinet/if_ether.c	Wed Aug  3 04:27:47 2011	(r224622)
@@ -843,6 +843,7 @@ reply:
 	ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */
 	m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln);   
 	m->m_pkthdr.len = m->m_len;   
+	m->m_pkthdr.rcvif = NULL;
 	sa.sa_family = AF_ARP;
 	sa.sa_len = 2;
 	(*ifp->if_output)(ifp, m, &sa, NULL);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 8 dfilter service freebsd_committer freebsd_triage 2011-08-03 05:28:24 UTC 
Author: ae
Date: Wed Aug  3 04:28:16 2011
New Revision: 224623
URL: http://svn.freebsd.org/changeset/base/224623

Log:
  MFC r223753:
    ARP code reuses mbuf from ARP request to make a reply, but it does not
    reset rcvif to NULL. Since rcvif is not NULL, ipfw(4) supposes that ARP
    replies were received on specified interface.
    Reset rcvif to NULL for ARP replies to fix this issue.
  
    PR:           kern/131817

Modified:
  stable/7/sys/netinet/if_ether.c
Directory Properties:
  stable/7/sys/   (props changed)
  stable/7/sys/cddl/contrib/opensolaris/   (props changed)
  stable/7/sys/contrib/dev/acpica/   (props changed)
  stable/7/sys/contrib/pf/   (props changed)

Modified: stable/7/sys/netinet/if_ether.c
==============================================================================
--- stable/7/sys/netinet/if_ether.c	Wed Aug  3 04:27:47 2011	(r224622)
+++ stable/7/sys/netinet/if_ether.c	Wed Aug  3 04:28:16 2011	(r224623)
@@ -981,6 +981,7 @@ reply:
 	ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */
 	m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln);   
 	m->m_pkthdr.len = m->m_len;   
+	m->m_pkthdr.rcvif = NULL;
 	sa.sa_family = AF_ARP;
 	sa.sa_len = 2;
 	(*ifp->if_output)(ifp, m, &sa, (struct rtentry *)0);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 9 Andrey V. Elsukov freebsd_committer freebsd_triage 2011-08-03 05:28:48 UTC 
State Changed
From-To: patched->closed

Merged to stable/7 and stable/8. Thanks!