>Number: 148885 >Category: kern >Synopsis: ipfw netgraph ignores net.inet.ip.fw.one_pass >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Jul 24 03:20:04 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Nickolay Dudorov >Release: 8.1-RELEASE >Organization: STE Infoteka >Environment: FreeBSD nnd.itfs.nsk.su 8.1-RELEASE FreeBSD 8.1-RELEASE #5: Thu Jul 22 20:51:35 NOVST 2010 r...@nnd.itfs.nsk.su:/usr/obj/usr/src/sys/FINER8 amd64 >Description: man ipfw says: .. netgraph cookie Divert packet into netgraph with given cookie. The search termi- nates. If packet is later returned from netgraph it is either accepted or continues with the next rule, depending on net.inet.ip.fw.one_pass sysctl variable. ..
but after last massive changes in ipfw realisation (Mart 23 2010) packets continues with the next rule independently of the net.inet.ip.fw.one_pass value. The same holds for 'netgraph ngtee' rules. Included patch correct the problem. The problem stands in CURRENT, RELENG_8 and 8.1-RELEASE. >How-To-Repeat: On plain CURRENT or 8.1-RELEASE system with (say) em0 interface do: ================================================================ kldload netgraph kldload ng_ipfw kldload ng_ip_input ngctl << EOF mkpeer ipfw: ip_input 100 in EOF ipfw add 100 netgraph 100 all from any to any in recv em0 ipfw add 200 count log all from any to any in recv em0 ================================================================ and you can see that all packets go through 100 and 200 rules independently of the net.inet.ip.fw.one_pass value. >Fix: Applay the patch included. Patch attached with submission follows: --- sys/netinet/ipfw/ip_fw2.c.orig 2010-07-24 09:25:28.000000000 +0700 +++ sys/netinet/ipfw/ip_fw2.c 2010-07-24 09:27:35.000000000 +0700 @@ -2084,6 +2084,8 @@ set_match(args, f_pos, chain); args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ? tablearg : cmd->arg1; + if (V_fw_one_pass) + args->rule.info |= IPFW_ONEPASS; retval = (cmd->opcode == O_NETGRAPH) ? IP_FW_NETGRAPH : IP_FW_NGTEE; l = 0; /* exit inner loop */ --- sys/netgraph/ng_ipfw.c.orig 2010-07-24 09:24:51.000000000 +0700 +++ sys/netgraph/ng_ipfw.c 2010-07-24 09:23:54.000000000 +0700 @@ -287,7 +287,8 @@ } r = (struct ipfw_rule_ref *)(tag + 1); *r = fwa->rule; - r->info = dir ? IPFW_INFO_IN : IPFW_INFO_OUT; + r->info &= IPFW_ONEPASS; /* keep this info */ + r->info |= dir ? IPFW_INFO_IN : IPFW_INFO_OUT; m_tag_prepend(m, tag); } else >Release-Note: >Audit-Trail: >Unformatted: _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"