202802 – ipf reports error with broken rule, but places malformed rule anyway

Bug 202802 - ipf reports error with broken rule, but places malformed rule anyway

Summary: ipf reports error with broken rule, but places malformed rule anyway

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	10.1-RELEASE
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-ipfw (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-08-31 23:43 UTC by Jessica K. Litwin
Modified:	2015-09-01 17:37 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jessica K. Litwin 2015-08-31 23:43:22 UTC

Hi,

Steps to duplicate:

1.) In an ipf.rules file you can place the following rule exactly as typed (with typo):

block in quick proto tcp from8.8.8.8/32 to any 


2.) load ipf with 'ipf -F -a -f /etc/ipf.rules' or similar:

# ipfstat -hi
empty list for ipfilter(in)
# ipfstat -ho
empty list for ipfilter(out)

# ipf -F -a -f /etc/ipf.rules 
syntax error error at "/", line 1


Expected result:  

ipf correctly reports a syntax error and does reload rules until the error is corrected.

Actual result: 

# ipfstat -hi 
2 block in quick proto tcp from any to any 
 

At this point the box is deaf to the world until the rule is removed, corrected, or ipf is flushed via console.

Comment 1 Jessica K. Litwin 2015-08-31 23:46:24 UTC

i can duplicate this on ipf versios as far back as 4.1.28 (416), 
and my current freebsd 10 system using ipf 5.1.2 (464).

Comment 2 Jessica K. Litwin 2015-09-01 00:28:25 UTC

also in my original post 'does reload rules' should read 'doesn't reload rules', sorry.