Hello!
I've found a serious regression during the IPFW1->2 transition. I'm using
"recv any" construction to match transit packets only. Manpage ipfw(8) clearly
says:
recv | xmit | via {ifX | if* | ipno | any}
Matches packets received, transmitted or going through, respec-
tively, the interface specified by exact name (ifX), by device
name (if*), by IP address, or through some interface.
...........................................^^^^^^^^^^^^^^^^^^^^^^
A packet may not have a receive or transmit interface: packets
originating from the local host have no receive interface, while
packets destined for the local host have no transmit interface.
So the following rule must not match locally-originated packets, thus matching
only transit ones:
00001 0 0 count ip from any to any out recv any
However, after transition to IPFW2 (RELENG_4, also have tried RELENG_6,
CURRENT - results are the same) part "recv any" just gets ignored, and
rules starts to match all outgoing packets, not just transit ones:
[EMAIL PROTECTED] ipfw add 1 count ip from any to any out recv any
00001 count ip from any to any out
[EMAIL PROTECTED] ipfw show
00001 7 1932 count ip from any to any out
I've searched "ipfw any" context in our PR database and didn't find anything.
Is it known issue? Does somebody work on it?
Sincerely, Dmitry
--
Atlantis ISP, System Administrator
e-mail: [EMAIL PROTECTED]
nic-hdl: LYNX-RIPE
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
