From nobody@FreeBSD.org  Sun Jul 12 16:27:18 2009
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C0B9F106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 12 Jul 2009 16:27:18 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 9393A8FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 12 Jul 2009 16:27:18 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n6CGRItH092357
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 12 Jul 2009 16:27:18 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id n6CGRIiR092356;
	Sun, 12 Jul 2009 16:27:18 GMT
	(envelope-from nobody)
Message-Id: <200907121627.n6CGRIiR092356@www.freebsd.org>
Date: Sun, 12 Jul 2009 16:27:18 GMT
From: Nicolas Rachinsky <nicolas-2009@rachinsky.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: fwd reached after skipto in dynamic rules does not work in every case [PATCH]
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         136695
>Category:       kern
>Synopsis:       [ipfw] [patch] fwd reached after skipto in dynamic rules does not work in every case
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul 12 16:30:01 UTC 2009
>Closed-Date:    Wed Jul 06 06:58:48 UTC 2011
>Last-Modified:  Wed Jul  6 07:00:28 UTC 2011
>Originator:     Nicolas Rachinsky
>Release:        FreeBSD 6.4-p5 (does probably apply to 8)
>Organization:
>Environment:
FreeBSD somehost 6.4-RELEASE-p5 FreeBSD 6.4-RELEASE-p5 #4: Sun Jul 12 18:03:33 CEST 2009     somebody:/usr/exported/src/sys/i386/compile/PC5  i386

>Description:
I have an pptp-tunnel with an static IP. I want to use this for incoming and outgoing services together with keep-state. So instead of allow I use "skipto 4040", where the rules following 4040 decide wether to forward the packet via pptp 
or use the normal uplink.

04040 fwd <pptp_peer> ip from <my_pptp_ip> to any out
04050 allow ip from any to any


Now I want incoming smtp on both the normal uplink and via pptp, so I have the rule:
skipto 4040 tcp from me to any dst-port 25 out setup keep-state

This does not work, the fwd rule is just an accept rule for the packets returned by my machine.

fwd is ignored after an dynamic rule matched in the "reverse" direction. I think, fwd should work even after a dynamic rule matched in the reverse direction, when the action of the dynamic rule is a skipto.

The attached patch changes this behaviour. The current code looks quite similar.
>How-To-Repeat:
see above
>Fix:
apply the attached patch

Patch attached with submission follows:

Index: ip_fw2.c
===================================================================
RCS file: /usr/cvs-freebsd/src/sys/netinet/Attic/ip_fw2.c,v
retrieving revision 1.106.2.41.2.1
diff -u -r1.106.2.41.2.1 ip_fw2.c
--- ip_fw2.c	2 Oct 2008 02:57:24 -0000	1.106.2.41.2.1
+++ ip_fw2.c	12 Jul 2009 16:15:37 -0000
@@ -2215,9 +2215,14 @@
 	/*
 	 * dyn_dir = MATCH_UNKNOWN when rules unchecked,
 	 * 	MATCH_NONE when checked and not matched (q = NULL),
-	 *	MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL)
+	 	MATCH_FORWARD or MATCH_REVERSE otherwise (q != NULL)
 	 */
 	int dyn_dir = MATCH_UNKNOWN;
+	/*
+	 * skip_after_dyn set to 1 if the action of
+	   a dynamic rule is skipto
+	 */
+	int skip_after_dyn = 0;
 	ipfw_dyn_rule *q = NULL;
 	struct ip_fw_chain *chain = &layer3_chain;
 	struct m_tag *mtag;
@@ -3255,6 +3260,8 @@
 				if (f->next_rule == NULL)
 					lookup_next_rule(f);
 				f = f->next_rule;
+				if ( dyn_dir != MATCH_UNKNOWN && dyn_dir != MATCH_NONE)
+					skip_after_dyn = 1;
 				goto again;
 
 			case O_REJECT:
@@ -3295,7 +3302,7 @@
 				sa = &(((ipfw_insn_sa *)cmd)->sa);
 				if (args->eh)	/* not valid on layer2 pkts */
 					break;
-				if (!q || dyn_dir == MATCH_FORWARD) {
+				if (!q || dyn_dir == MATCH_FORWARD || skip_after_dyn) {
 					if (sa->sin_addr.s_addr == INADDR_ANY) {
 						bcopy(sa, &args->hopstore,
 							sizeof(*sa));


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Jul 13 15:13:10 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136695 
Responsible-Changed-From-To: freebsd-net->freebsd-ipfw 
Responsible-Changed-By: bz 
Responsible-Changed-When: Tue Jul 14 08:12:22 UTC 2009 
Responsible-Changed-Why:  
Re-assign to the right list. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136695 
State-Changed-From-To: open->patched 
State-Changed-By: ae 
State-Changed-When: Mon Jun 6 07:23:31 UTC 2011 
State-Changed-Why:  
Patched in head/ with r222582. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136695 
State-Changed-From-To: patched->closed 
State-Changed-By: ae 
State-Changed-When: Wed Jul 6 06:58:11 UTC 2011 
State-Changed-Why:  
Merged to stable/7 and stable/8. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=136695 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/136695: commit references a PR
Date: Wed,  6 Jul 2011 06:56:40 +0000 (UTC)

 Author: ae
 Date: Wed Jul  6 06:56:31 2011
 New Revision: 223819
 URL: http://svn.freebsd.org/changeset/base/223819
 
 Log:
   MFC r222582:
     O_FORWARD_IP is only action which depends from the result of lookup of
     dynamic rules. We are doing forwarding in the following cases:
      o For the simple ipfw fwd rule, e.g.
   
     	fwd 10.0.0.1 ip from any to any out xmit em0
     	fwd 127.0.0.1,3128 tcp from any to any 80 in recv em1
   
      o For the dynamic fwd rule, e.g.
   
      	fwd 192.168.0.1 tcp from any to 10.0.0.3 3333 setup keep-state
   
             When this rule triggers it creates a dynamic rule, but this
     	dynamic rule should forward packets only in forward direction.
   
      o And the last case that does not work before - simple fwd rule which
      triggers when some dynamic rule is already executed.
   
     PR:		kern/136695, kern/147720, kern/150798
 
 Modified:
   stable/8/sys/netinet/ipfw/ip_fw2.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
 
 Modified: stable/8/sys/netinet/ipfw/ip_fw2.c
 ==============================================================================
 --- stable/8/sys/netinet/ipfw/ip_fw2.c	Wed Jul  6 06:34:08 2011	(r223818)
 +++ stable/8/sys/netinet/ipfw/ip_fw2.c	Wed Jul  6 06:56:31 2011	(r223819)
 @@ -2070,7 +2070,8 @@ do {								\
  			case O_FORWARD_IP:
  				if (args->eh)	/* not valid on layer2 pkts */
  					break;
 -				if (!q || dyn_dir == MATCH_FORWARD) {
 +				if (q == NULL || q->rule != f ||
 +				    dyn_dir == MATCH_FORWARD) {
  				    struct sockaddr_in *sa;
  				    sa = &(((ipfw_insn_sa *)cmd)->sa);
  				    if (sa->sin_addr.s_addr == INADDR_ANY) {
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/136695: commit references a PR
Date: Wed,  6 Jul 2011 06:57:16 +0000 (UTC)

 Author: ae
 Date: Wed Jul  6 06:57:07 2011
 New Revision: 223820
 URL: http://svn.freebsd.org/changeset/base/223820
 
 Log:
   MFC r222582:
     O_FORWARD_IP is only action which depends from the result of lookup of
     dynamic rules. We are doing forwarding in the following cases:
      o For the simple ipfw fwd rule, e.g.
   
           fwd 10.0.0.1 ip from any to any out xmit em0
           fwd 127.0.0.1,3128 tcp from any to any 80 in recv em1
   
      o For the dynamic fwd rule, e.g.
   
           fwd 192.168.0.1 tcp from any to 10.0.0.3 3333 setup keep-state
   
             When this rule triggers it creates a dynamic rule, but this
           dynamic rule should forward packets only in forward direction.
   
      o And the last case that does not work before - simple fwd rule which
      triggers when some dynamic rule is already executed.
   
     PR:           kern/136695, kern/147720, kern/150798
 
 Modified:
   stable/7/sys/netinet/ip_fw2.c
 Directory Properties:
   stable/7/sys/   (props changed)
   stable/7/sys/cddl/contrib/opensolaris/   (props changed)
   stable/7/sys/contrib/dev/acpica/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
 
 Modified: stable/7/sys/netinet/ip_fw2.c
 ==============================================================================
 --- stable/7/sys/netinet/ip_fw2.c	Wed Jul  6 06:56:31 2011	(r223819)
 +++ stable/7/sys/netinet/ip_fw2.c	Wed Jul  6 06:57:07 2011	(r223820)
 @@ -3284,7 +3284,8 @@ check_body:
  				sa = &(((ipfw_insn_sa *)cmd)->sa);
  				if (args->eh)	/* not valid on layer2 pkts */
  					break;
 -				if (!q || dyn_dir == MATCH_FORWARD) {
 +				if (q == NULL || q->rule != f ||
 +				    dyn_dir == MATCH_FORWARD) {
  					if (sa->sin_addr.s_addr == INADDR_ANY) {
  						bcopy(sa, &args->hopstore,
  							sizeof(*sa));
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
