From nobody@FreeBSD.org  Sun Nov 23 21:54:22 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C9E471065675
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Nov 2008 21:54:22 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id B7A328FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Nov 2008 21:54:22 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id mANLsMn5065143
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 23 Nov 2008 21:54:22 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id mANLsM6q065142;
	Sun, 23 Nov 2008 21:54:22 GMT
	(envelope-from nobody)
Message-Id: <200811232154.mANLsM6q065142@www.freebsd.org>
Date: Sun, 23 Nov 2008 21:54:22 GMT
From: Eugen Konkov <kes-kes@yandex.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: IPFW check state does not work =(
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         129103
>Category:       kern
>Synopsis:       [ipfw] IPFW check state does not work =(
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 23 22:00:05 UTC 2008
>Closed-Date:    Tue Jun 21 13:06:19 UTC 2011
>Last-Modified:  Tue Jun 21 13:06:19 UTC 2011
>Originator:     Eugen Konkov
>Release:        7.1-PRERELEASE
>Organization:
ISP Konkov
>Environment:
FreeBSD home.kes.net.ua 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #: Sun Nov 23 17:19:12 EET 2008     kes@home.kes.net.ua:/usr/obj/usr/src/sys/KES_KERN_v7  i386

>Description:
home# ipfw -de show
00001    0      0 check-state
00002    6    360 count log icmp from any to any via ng0
00003    5    300 prob 0.500000 skipto 6 log icmp from any to any via ng0
00004    8    480 skipto 5 log icmp from any to any via ng0 keep-state
00005    3    180 skipto 10 log icmp from any to any via ng0
00006    3    180 skipto 7 log icmp from any to any via ng0 keep-state
00007    3    180 count log icmp from any to any via ng0
00010    6    360 count log icmp from any to any via ng0
00099   47   2924 nat 1 ip from any to any via ng0
00100   12   2036 allow ip from any to any via lo0
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
10000 1341 231865 allow ip from any to any
65535    0      0 deny ip from any to any
## Dynamic rules (2):
00004    7    420 (0s) STATE icmp 192.168.9.4 0 <-> 213.180.204.8 0
00006    2    120 (0s) STATE icmp 213.180.204.8 0 <-> 91.124.239.145 0

Why 5 packets for rule 3 and 8 packets for rule 4?

cat security
Nov 23 23:18:39 home kernel: ipfw: 2 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:39 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:39 home kernel: ipfw: 5 SkipTo 10 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:39 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:39 home kernel: ipfw: 2 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 3 SkipTo 6 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 7 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:39 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
Nov 23 23:18:40 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
Nov 23 23:18:40 home kernel: ipfw: 2 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 3 SkipTo 6 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 5 SkipTo 10 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:40 home kernel: ipfw: 2 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 3 SkipTo 6 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 7 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:40 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
Nov 23 23:18:41 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
Nov 23 23:18:41 home kernel: ipfw: 2 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:41 home kernel: ipfw: 3 SkipTo 6 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:41 home kernel: ipfw: 4 SkipTo 5 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:41 home kernel: ipfw: 5 SkipTo 10 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:41 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
Nov 23 23:18:42 home kernel: ipfw: 2 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 3 SkipTo 6 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 7 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
Nov 23 23:18:42 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1

Why in log do I see trafic for ng1 interface while rule 1 does not invoked?

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:

From: KES <kes-kes@yandex.ru>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: freebsd-bugs@FreeBSD.org
Subject: Re[2]: kern/129103: IPFW check state does not work =(
Date: Mon, 24 Nov 2008 00:34:43 +0200

 whith
 ipfw add 1 check-state log
 
 Nov 24 00:28:40 home kernel: ipfw: 1 UNKNOWN ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
 Nov 24 00:28:40 home kernel: ipfw: 1 UNKNOWN ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:40 home kernel: ipfw: 2 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:40 home kernel: ipfw: 3 SkipTo 6 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:40 home kernel: ipfw: 6 SkipTo 7 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:40 home kernel: ipfw: 7 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:40 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:40 home kernel: ipfw: 1 UNKNOWN ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:40 home kernel: ipfw: 2 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:40 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:40 home kernel: ipfw: 5 SkipTo 10 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:40 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:40 home kernel: ipfw: 1 UNKNOWN ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
 Nov 24 00:28:40 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
 Nov 24 00:28:41 home kernel: ipfw: 1 UNKNOWN ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
 Nov 24 00:28:41 home kernel: ipfw: 6 SkipTo 7 ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
 Nov 24 00:28:41 home kernel: ipfw: 1 UNKNOWN ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:41 home kernel: ipfw: 6 SkipTo 7 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:41 home kernel: ipfw: 7 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:41 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:41 home kernel: ipfw: 1 UNKNOWN ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:41 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:41 home kernel: ipfw: 5 SkipTo 10 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:41 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:41 home kernel: ipfw: 1 UNKNOWN ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
 Nov 24 00:28:41 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
 Nov 24 00:28:42 home kernel: ipfw: 1 UNKNOWN ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
 Nov 24 00:28:42 home kernel: ipfw: 6 SkipTo 7 ICMP:8.0 192.168.9.4 213.180.204.8 in via ng1
 Nov 24 00:28:42 home kernel: ipfw: 1 UNKNOWN ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:42 home kernel: ipfw: 6 SkipTo 7 ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:42 home kernel: ipfw: 7 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:42 home kernel: ipfw: 10 Count ICMP:8.0 192.168.9.4 213.180.204.8 out via ng0
 Nov 24 00:28:42 home kernel: ipfw: 1 UNKNOWN ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:42 home kernel: ipfw: 4 SkipTo 5 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:42 home kernel: ipfw: 5 SkipTo 10 ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:42 home kernel: ipfw: 10 Count ICMP:0.0 213.180.204.8 91.124.239.145 in via ng0
 Nov 24 00:28:42 home kernel: ipfw: 1 UNKNOWN ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
 Nov 24 00:28:42 home kernel: ipfw: 6 SkipTo 7 ICMP:0.0 213.180.204.8 192.168.9.4 out via ng1
 
 00001    0      0 check-state log
 Counter does not count, so check-state does not work, does not?
 
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Nov 23 23:42:11 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129103 

From: Ian Smith <smithi@nimnet.asn.au>
To: bug-followup@FreeBSD.org, kes-kes@yandex.ru
Cc:  
Subject: Re: kern/129103: [ipfw] IPFW check state does not work =(
Date: Tue, 14 Apr 2009 00:01:07 +1000

 I believe that I've demonstrated in especially the second of the below
 posts to freebsd-ipfw that no error is shown by these logs, and that
 despite the submitter wishing check-state and keep-state rules reported
 differently than they do, this PR is really more a feature request which
 if not closed, should be labelled as such.
 
 I admit to some remaining confusion re this data in my first post:
 
 http://lists.freebsd.org/pipermail/freebsd-ipfw/2008-November/003689.html
 
 to which Eugen replied privately with less ambiguous data, quoted within
 
 http://lists.freebsd.org/pipermail/freebsd-ipfw/2008-November/003693.html
 
 Ian
State-Changed-From-To: open->closed 
State-Changed-By: ae 
State-Changed-When: Tue Jun 21 12:50:36 UTC 2011 
State-Changed-Why:  
check-state action does not have a body. It does lookup of 
the state table and execute the action of the rule which 
generated this dynamic rule. So, if some dynamic rule are 
found, then its counters will be updated. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=129103 
>Unformatted:
