From nobody@FreeBSD.org  Tue Feb 10 12:34:55 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 901DF106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 10 Feb 2009 12:34:55 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 7EC288FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 10 Feb 2009 12:34:55 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n1ACYsnN046327
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 10 Feb 2009 12:34:54 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n1ACYsRT046326;
	Tue, 10 Feb 2009 12:34:54 GMT
	(envelope-from nobody)
Message-Id: <200902101234.n1ACYsRT046326@www.freebsd.org>
Date: Tue, 10 Feb 2009 12:34:54 GMT
From: Borja Marcos <borjam@sarenet.es>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Inconsistent "via" ipfw behavior
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         131558
>Category:       kern
>Synopsis:       [ipfw] Inconsistent "via" ipfw behavior
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 10 12:40:00 UTC 2009
>Closed-Date:    Sat Jul 02 20:50:03 UTC 2011
>Last-Modified:  Sat Jul 02 20:50:03 UTC 2011
>Originator:     Borja Marcos
>Release:        7.1
>Organization:
>Environment:
FreeBSD host.sare.net 7.1-RELEASE-p1 FreeBSD 7.1-RELEASE-p1 #8: Mon Jan 12 11:23:00 GMT 2009     root@host.sare.net:/usr/obj/usr/src/sys/KERNEL  amd64


>Description:
Two issues with ipfw.

1) It would be very useful to allow an interface list to be passed as a parameter to the "via" rule option, something like

ipfw add deny whatever from this to that via interface,anotherinterface

It would be useful and consistent with the possibility of specifying a list of IP addresses separated by commas.

2) There is actually a bug. If I try to specify a rule with multiple interfaces, say,
ipfw add 10 deny icmp from any to me in via bge0,bge1

ipfw doesn't return an error, "ipfw list" shows that the rule has been loaded as expected,
00010 deny icmp from any to me in via bge0,bge1

But the rule doesn't work. Maybe it would interpret the interfaces list as an AND list, instead of an OR?



>How-To-Repeat:
See the example. Creating a rule that specifies a list of interfaces in the "via" option of the ipfw command.

It can be seen that the rule is accepted but it doesn't work.


>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Tue Feb 10 13:44:03 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s).  I get the feeling this may be a kernel bug 
rather than a userspace bug, reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131558 
State-Changed-From-To: open->closed 
State-Changed-By: ae 
State-Changed-When: Sat Jul 2 20:44:50 UTC 2011 
State-Changed-Why:  
This is documented behaviour. ipfw(8) does not check interface names, because 
they may be created dynamically. 
"via" rule option does not support list of interfaces. You can use shell 
patterns like "via bge*" or or-block sintax "{ via bge0 or via bge1 }". 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131558 
>Unformatted:
