From edwin@mavetju.org  Sat May  3 06:31:06 2008
Return-Path: <edwin@mavetju.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D66481065676
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  3 May 2008 06:31:06 +0000 (UTC)
	(envelope-from edwin@mavetju.org)
Received: from mail5out.barnet.com.au (mail5.barnet.com.au [202.83.178.78])
	by mx1.freebsd.org (Postfix) with ESMTP id A0E8C8FC15
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  3 May 2008 06:31:06 +0000 (UTC)
	(envelope-from edwin@mavetju.org)
Received: by mail5out.barnet.com.au (Postfix, from userid 1001)
	id D70C32218A25; Sat,  3 May 2008 16:31:05 +1000 (EST)
Received: from mail5auth.barnet.com.au (mail5.barnet.com.au [202.83.178.78])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail5auth.barnet.com.au", Issuer "*.barnet.com.au" (verified OK))
	by mail5.barnet.com.au (Postfix) with ESMTP id 8DF8C21B2BC0
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  3 May 2008 16:31:05 +1000 (EST)
Received: from k7.mavetju (k7.mavetju.org [10.251.1.18])
	by mail5auth.barnet.com.au (Postfix) with ESMTP id 37C5A2218804
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  3 May 2008 16:31:05 +1000 (EST)
Received: by k7.mavetju (Postfix, from userid 1001)
	id 0C52F31A; Sat,  3 May 2008 16:31:05 +1000 (EST)
Message-Id: <20080503063105.0C52F31A@k7.mavetju>
Date: Sat,  3 May 2008 16:31:05 +1000 (EST)
From: Edwin Groothuis <edwin@mavetju.org>
Reply-To: Edwin Groothuis <edwin@mavetju.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [ipfw] ipfw add 1000 allow IP from any to any doesn't work
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         123358
>Category:       kern
>Synopsis:       [ipfw] ipfw add 1000 allow IP from any to any doesn't work
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          analyzed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 03 06:40:00 UTC 2008
>Closed-Date:    
>Last-Modified:  Sun May 11 21:31:45 UTC 2008
>Originator:     Edwin Groothuis
>Release:        FreeBSD 6.3-RELEASE i386
>Organization:
-
>Environment:
System: FreeBSD k7.mavetju 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Sun Feb 17 22:11:52 EST 2008 edwin@k7.mavetju:/usr/src/sys/i386/compile/SMP i386

>Description:

Loading an ipfw rule with "IP" instead of "ip" will enter the rule
properly in the list, but it never gets matched.

>How-To-Repeat:

    [/home/edwin] root@k7>ipfw add 100 allow IP from any to any
    00100 allow ip from any to any
    [/home/edwin] root@k7>ipfw add 100 allow ip from any to any
    00100 allow ip from any to any

    [/home/edwin] root@k7>ipfw -a list
    00100   0      0 allow ip from any to any
    00100 922 168617 allow ip from any to any
    65535 182  20023 deny ip from any to any

The first entry should be increasing, not the second.

>Fix:

>Release-Note:
>Audit-Trail:

From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Edwin Groothuis <edwin@mavetju.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org,
        Julian Elischer <julian@elischer.org>
Subject: Re: kern/123358: [ipfw] ipfw add 1000 allow IP from any to any doesn't
        work
Date: Sun, 04 May 2008 08:39:57 +0400

 Edwin Groothuis wrote:
 > Loading an ipfw rule with "IP" instead of "ip" will enter the rule
 > properly in the list, but it never gets matched.
 > 
 >> How-To-Repeat:
 > 
 >     [/home/edwin] root@k7>ipfw add 100 allow IP from any to any
 >     00100 allow ip from any to any
 >     [/home/edwin] root@k7>ipfw add 100 allow ip from any to any
 >     00100 allow ip from any to any
 > 
 >     [/home/edwin] root@k7>ipfw -a list
 >     00100   0      0 allow ip from any to any
 >     00100 922 168617 allow ip from any to any
 >     65535 182  20023 deny ip from any to any
 > 
 > The first entry should be increasing, not the second.
 
 Yes. When you are using "ip" or "all" as protocol, then
 ipfw(8) doesn't make internal opcode and ipfw(9) matches
 any packets. When you are using "IP" (parser is case sensitive),
 then ipfw(8) makes a O_PROTO opcode and ipfw(9) matches it
 with layer3 protocol number.
 I don't know what is the best way to fix this problem.
 I see three ways:
 1. Don't do anything.
 2. Make manual better (sorry, i'm not native english
 speaker, so i can't).
 3. Add quirk to ipfw(8) ti add_proto0 function, something
 similar:
 --- src/sbin/ipfw/ipfw2.c       27 Feb 2008 13:52:33 -0000      1.118
 +++ src/sbin/ipfw/ipfw2.c       4 May 2008 04:38:24 -0000
 @@ -4580,6 +4580,11 @@ add_proto0(ipfw_insn *cmd, char *av, u_c
          if (*ep != '\0' || proto <= 0) {
                  if ((pe = getprotobyname(av)) == NULL)
                          return NULL;
 +
 +               /* Is it an IP proto? */
 +               if (pr->p_proto == 0)
 +                       return (0);
 +
                  proto = pe->p_proto;
          }
 
 -- 
 WBR, Andrey V. Elsukov
State-Changed-From-To: open->analyzed 
State-Changed-By: vwe 
State-Changed-When: Sun May 11 21:30:56 UTC 2008 
State-Changed-Why:  

Andrey gave a good explanation - issue seems to be clear 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123358 
>Unformatted:
