From eugen@grosbein.pp.ru  Wed Feb 18 15:40:49 2009
Return-Path: <eugen@grosbein.pp.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9290D1065675
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 18 Feb 2009 15:40:49 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (grosbein.pp.ru [89.189.172.146])
	by mx1.freebsd.org (Postfix) with ESMTP id 6A6878FC0C
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 18 Feb 2009 15:40:47 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (localhost [127.0.0.1])
	by grosbein.pp.ru (8.14.3/8.14.3) with ESMTP id n1IFARnA001548
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 18 Feb 2009 22:10:27 +0700 (KRAT)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.14.3/8.14.3/Submit) id n1IFAQGj001547;
	Wed, 18 Feb 2009 22:10:26 +0700 (KRAT)
	(envelope-from eugen)
Message-Id: <200902181510.n1IFAQGj001547@grosbein.pp.ru>
Date: Wed, 18 Feb 2009 22:10:26 +0700 (KRAT)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
Reply-To: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ipfw blocks layer2 packets that should not be blocked
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         131817
>Category:       kern
>Synopsis:       [ipfw] blocks layer2 packets that should not be blocked
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 18 15:50:00 UTC 2009
>Closed-Date:    Wed Aug 03 04:29:13 UTC 2011
>Last-Modified:  Wed Aug  3 04:30:17 UTC 2011
>Originator:     Eugene Grosbein
>Release:        FreeBSD 7.1-STABLE i386
>Organization:
Svyaz-Service
>Environment:
System: FreeBSD grosbein.pp.ru 7.1-STABLE FreeBSD 7.1-STABLE #13: Tue Feb 17 20:11:39 KRAT 2009 eu@grosbein.pp.ru:/usr/local/obj/usr/local/src/sys/DADV i386

>Description:
	
	The rule:

ipfw add 1000 deny ip from any to any out recv fxp0 xmit fxp0

	blocks outgoing ARP replys on the interface fxp0
	if sysctl net.link.ether.ipfw is set to 1.

	ARP reply is not transit packet received from fxp0 and
	must not be blocked in this case. This is serious bug
	and it exists in ipfw2 since RELENG_4.
	
>How-To-Repeat:
	See above.

>Fix:

	Unknown.


Eugene Grosbein
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: gavin 
Responsible-Changed-When: Wed Feb 18 21:01:17 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s).  To submitter: FWIW, I agree that this 
does seem like incorrect behaviour.  I usually work around it 
with the following additional rule: 

ipfw add 10 allow ip from any to any layer2 mac-type arp 


http://www.freebsd.org/cgi/query-pr.cgi?pr=131817 

From: "Andrey V. Elsukov" <ae@FreeBSD.org>
To: bug-followup@FreeBSD.org, eugen@grosbein.pp.ru
Cc:  
Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be
 blocked
Date: Fri, 01 Jul 2011 12:56:14 +0400

 This is a multi-part message in MIME format.
 --------------000306040401040406030900
 Content-Type: text/plain; charset=KOI8-R
 Content-Transfer-Encoding: 7bit
 
 Hi, Eugene
 
 can you test this patch?
 
 -- 
 WBR, Andrey V. Elsukov
 
 --------------000306040401040406030900
 Content-Type: text/plain;
  name="arpreply.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="arpreply.diff"
 
 Index: head/sys/netinet/if_ether.c
 ===================================================================
 --- head/sys/netinet/if_ether.c	(revision 223705)
 +++ head/sys/netinet/if_ether.c	(working copy)
 @@ -857,6 +857,7 @@ reply:
  	ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */
  	m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln);   
  	m->m_pkthdr.len = m->m_len;   
 +	m->m_pkthdr.rcvif = NULL;
  	sa.sa_family = AF_ARP;
  	sa.sa_len = 2;
  	(*ifp->if_output)(ifp, m, &sa, NULL);
 
 --------------000306040401040406030900--
State-Changed-From-To: open->feedback 
State-Changed-By: ae 
State-Changed-When: Fri Jul 1 09:04:38 UTC 2011 
State-Changed-Why:  
Feedback requested. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131817 

From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: bug-followup@FreeBSD.ORG
Cc:  
Subject: Re: kern/131817: [ipfw] blocks layer2 packets that should not be
 blocked
Date: Mon, 04 Jul 2011 04:12:46 +0700

 01.07.2011 16:04, ae@FreeBSD.org :
 > Synopsis: [ipfw] blocks layer2 packets that should not be blocked
 > 
 > State-Changed-From-To: open->feedback
 > State-Changed-By: ae
 > State-Changed-When: Fri Jul 1 09:04:38 UTC 2011
 > State-Changed-Why: 
 > Feedback requested.
 > 
 > http://www.freebsd.org/cgi/query-pr.cgi?pr=131817
 
 Your patch works, thanks!
 
 Eugene Grosbein
State-Changed-From-To: feedback->patched 
State-Changed-By: ae 
State-Changed-When: Mon Jul 4 05:48:49 UTC 2011 
State-Changed-Why:  
Patched in head/. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131817 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/131817: commit references a PR
Date: Mon,  4 Jul 2011 05:48:00 +0000 (UTC)

 Author: ae
 Date: Mon Jul  4 05:47:48 2011
 New Revision: 223753
 URL: http://svn.freebsd.org/changeset/base/223753
 
 Log:
   ARP code reuses mbuf from ARP request to make a reply, but it does not
   reset rcvif to NULL. Since rcvif is not NULL, ipfw(4) supposes that ARP
   replies were received on specified interface.
   Reset rcvif to NULL for ARP replies to fix this issue.
   
   PR:		kern/131817
   Reviewed by:	glebius
   MFC after:	1 month
 
 Modified:
   head/sys/netinet/if_ether.c
 
 Modified: head/sys/netinet/if_ether.c
 ==============================================================================
 --- head/sys/netinet/if_ether.c	Mon Jul  4 03:19:06 2011	(r223752)
 +++ head/sys/netinet/if_ether.c	Mon Jul  4 05:47:48 2011	(r223753)
 @@ -857,6 +857,7 @@ reply:
  	ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */
  	m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln);   
  	m->m_pkthdr.len = m->m_len;   
 +	m->m_pkthdr.rcvif = NULL;
  	sa.sa_family = AF_ARP;
  	sa.sa_len = 2;
  	(*ifp->if_output)(ifp, m, &sa, NULL);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: ae 
State-Changed-When: Wed Aug 3 04:28:48 UTC 2011 
State-Changed-Why:  
Merged to stable/7 and stable/8. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=131817 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/131817: commit references a PR
Date: Wed,  3 Aug 2011 04:28:06 +0000 (UTC)

 Author: ae
 Date: Wed Aug  3 04:27:47 2011
 New Revision: 224622
 URL: http://svn.freebsd.org/changeset/base/224622
 
 Log:
   MFC r223753:
     ARP code reuses mbuf from ARP request to make a reply, but it does not
     reset rcvif to NULL. Since rcvif is not NULL, ipfw(4) supposes that ARP
     replies were received on specified interface.
     Reset rcvif to NULL for ARP replies to fix this issue.
   
     PR:		kern/131817
 
 Modified:
   stable/8/sys/netinet/if_ether.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet/if_ether.c
 ==============================================================================
 --- stable/8/sys/netinet/if_ether.c	Wed Aug  3 03:52:15 2011	(r224621)
 +++ stable/8/sys/netinet/if_ether.c	Wed Aug  3 04:27:47 2011	(r224622)
 @@ -843,6 +843,7 @@ reply:
  	ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */
  	m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln);   
  	m->m_pkthdr.len = m->m_len;   
 +	m->m_pkthdr.rcvif = NULL;
  	sa.sa_family = AF_ARP;
  	sa.sa_len = 2;
  	(*ifp->if_output)(ifp, m, &sa, NULL);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/131817: commit references a PR
Date: Wed,  3 Aug 2011 04:28:24 +0000 (UTC)

 Author: ae
 Date: Wed Aug  3 04:28:16 2011
 New Revision: 224623
 URL: http://svn.freebsd.org/changeset/base/224623
 
 Log:
   MFC r223753:
     ARP code reuses mbuf from ARP request to make a reply, but it does not
     reset rcvif to NULL. Since rcvif is not NULL, ipfw(4) supposes that ARP
     replies were received on specified interface.
     Reset rcvif to NULL for ARP replies to fix this issue.
   
     PR:           kern/131817
 
 Modified:
   stable/7/sys/netinet/if_ether.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/netinet/if_ether.c
 ==============================================================================
 --- stable/7/sys/netinet/if_ether.c	Wed Aug  3 04:27:47 2011	(r224622)
 +++ stable/7/sys/netinet/if_ether.c	Wed Aug  3 04:28:16 2011	(r224623)
 @@ -981,6 +981,7 @@ reply:
  	ah->ar_pro = htons(ETHERTYPE_IP); /* let's be sure! */
  	m->m_len = sizeof(*ah) + (2 * ah->ar_pln) + (2 * ah->ar_hln);   
  	m->m_pkthdr.len = m->m_len;   
 +	m->m_pkthdr.rcvif = NULL;
  	sa.sa_family = AF_ARP;
  	sa.sa_len = 2;
  	(*ifp->if_output)(ifp, m, &sa, (struct rtentry *)0);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
