From nobody@FreeBSD.org  Sat Jul 24 03:14:42 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 38DB01065676
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 Jul 2010 03:14:42 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 0F3208FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 Jul 2010 03:14:42 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o6O3EfiT019305
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 24 Jul 2010 03:14:41 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o6O3EfDA019304;
	Sat, 24 Jul 2010 03:14:41 GMT
	(envelope-from nobody)
Message-Id: <201007240314.o6O3EfDA019304@www.freebsd.org>
Date: Sat, 24 Jul 2010 03:14:41 GMT
From: Nickolay Dudorov <nnd@mail.nsk.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw netgraph ignores net.inet.ip.fw.one_pass
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         148885
>Category:       kern
>Synopsis:       [ipfw] [patch] ipfw netgraph ignores net.inet.ip.fw.one_pass
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jul 24 03:20:04 UTC 2010
>Closed-Date:    Thu Sep 16 15:11:36 UTC 2010
>Last-Modified:  Thu Sep 16 15:20:00 UTC 2010
>Originator:     Nickolay Dudorov
>Release:        8.1-RELEASE
>Organization:
STE Infoteka
>Environment:
FreeBSD nnd.itfs.nsk.su 8.1-RELEASE FreeBSD 8.1-RELEASE #5: Thu Jul 22 20:51:35 NOVST 2010     root@nnd.itfs.nsk.su:/usr/obj/usr/src/sys/FINER8  amd64
>Description:
man ipfw says:
..
     netgraph cookie
             Divert packet into netgraph with given cookie.  The search termi-
             nates.  If packet is later returned from netgraph it is either
             accepted or continues with the next rule, depending on
             net.inet.ip.fw.one_pass sysctl variable.
..

but after last massive changes in ipfw realisation (Mart 23 2010)
packets continues with the next rule independently of the  net.inet.ip.fw.one_pass value.

The same holds for 'netgraph ngtee' rules.

Included patch correct the problem.

The problem stands in CURRENT, RELENG_8 and 8.1-RELEASE.




>How-To-Repeat:
On plain CURRENT or 8.1-RELEASE system with (say) em0 interface
do:
================================================================
kldload netgraph
kldload ng_ipfw
kldload ng_ip_input

ngctl << EOF
mkpeer ipfw: ip_input 100 in
EOF

ipfw add 100 netgraph 100 all from any to any in recv em0
ipfw add 200 count log all from any to any in recv em0
================================================================

and you can see that all packets go through 100 and 200 rules
independently of the net.inet.ip.fw.one_pass value.


>Fix:
Applay the patch included.

Patch attached with submission follows:

--- sys/netinet/ipfw/ip_fw2.c.orig      2010-07-24 09:25:28.000000000 +0700
+++ sys/netinet/ipfw/ip_fw2.c   2010-07-24 09:27:35.000000000 +0700
@@ -2084,6 +2084,8 @@
                                set_match(args, f_pos, chain);
                                args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ?
                                        tablearg : cmd->arg1;
+                               if (V_fw_one_pass)
+                                       args->rule.info |= IPFW_ONEPASS;
                                retval = (cmd->opcode == O_NETGRAPH) ?
                                    IP_FW_NETGRAPH : IP_FW_NGTEE;
                                l = 0;          /* exit inner loop */
--- sys/netgraph/ng_ipfw.c.orig 2010-07-24 09:24:51.000000000 +0700
+++ sys/netgraph/ng_ipfw.c      2010-07-24 09:23:54.000000000 +0700
@@ -287,7 +287,8 @@
                }
                r = (struct ipfw_rule_ref *)(tag + 1);
                *r = fwa->rule;
-               r->info = dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
+               r->info &= IPFW_ONEPASS;  /* keep this info */
+               r->info |= dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
                m_tag_prepend(m, tag);

        } else


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Jul 24 04:52:36 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148885 
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Tue Jul 27 14:26:36 UTC 2010 
State-Changed-Why:  
Committed to head/. Thanks! 


Responsible-Changed-From-To: freebsd-ipfw->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Tue Jul 27 14:26:36 UTC 2010 
Responsible-Changed-Why:  
I'll handle this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148885 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/148885: commit references a PR
Date: Tue, 27 Jul 2010 14:26:44 +0000 (UTC)

 Author: glebius
 Date: Tue Jul 27 14:26:34 2010
 New Revision: 210537
 URL: http://svn.freebsd.org/changeset/base/210537
 
 Log:
   Fix operation of "netgraph" action in conjunction with the
   net.inet.ip.fw.one_pass sysctl.
   
   The "ngtee" action is still broken.
   
   PR:		kern/148885
   Submitted by:	Nickolay Dudorov <nnd mail.nsk.ru>
 
 Modified:
   head/sys/netgraph/ng_ipfw.c
   head/sys/netinet/ipfw/ip_fw2.c
 
 Modified: head/sys/netgraph/ng_ipfw.c
 ==============================================================================
 --- head/sys/netgraph/ng_ipfw.c	Tue Jul 27 13:06:18 2010	(r210536)
 +++ head/sys/netgraph/ng_ipfw.c	Tue Jul 27 14:26:34 2010	(r210537)
 @@ -287,7 +287,8 @@ ng_ipfw_input(struct mbuf **m0, int dir,
  		}
  		r = (struct ipfw_rule_ref *)(tag + 1);
  		*r = fwa->rule;
 -		r->info = dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
 +		r->info &= IPFW_ONEPASS;  /* keep this info */
 +		r->info |= dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
  		m_tag_prepend(m, tag);
  
  	} else
 
 Modified: head/sys/netinet/ipfw/ip_fw2.c
 ==============================================================================
 --- head/sys/netinet/ipfw/ip_fw2.c	Tue Jul 27 13:06:18 2010	(r210536)
 +++ head/sys/netinet/ipfw/ip_fw2.c	Tue Jul 27 14:26:34 2010	(r210537)
 @@ -2084,6 +2084,8 @@ do {								\
  				set_match(args, f_pos, chain);
  				args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ?
  					tablearg : cmd->arg1;
 +				if (V_fw_one_pass)
 +					args->rule.info |= IPFW_ONEPASS;
  				retval = (cmd->opcode == O_NETGRAPH) ?
  				    IP_FW_NETGRAPH : IP_FW_NGTEE;
  				l = 0;          /* exit inner loop */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Thu Sep 16 15:07:52 UTC 2010 
State-Changed-Why:  
Merged to stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148885 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/148885: commit references a PR
Date: Thu, 16 Sep 2010 15:11:27 +0000 (UTC)

 Author: glebius
 Date: Thu Sep 16 15:11:17 2010
 New Revision: 212738
 URL: http://svn.freebsd.org/changeset/base/212738
 
 Log:
   MFhead r210537:
     Fix operation of "netgraph" action in conjunction with the
     net.inet.ip.fw.one_pass sysctl.
   
     PR:           kern/148885
     Submitted by: Nickolay Dudorov <nnd mail.nsk.ru>
 
 Modified:
   stable/8/sys/netgraph/ng_ipfw.c
   stable/8/sys/netinet/ipfw/ip_fw2.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
 
 Modified: stable/8/sys/netgraph/ng_ipfw.c
 ==============================================================================
 --- stable/8/sys/netgraph/ng_ipfw.c	Thu Sep 16 15:07:12 2010	(r212737)
 +++ stable/8/sys/netgraph/ng_ipfw.c	Thu Sep 16 15:11:17 2010	(r212738)
 @@ -287,7 +287,8 @@ ng_ipfw_input(struct mbuf **m0, int dir,
  		}
  		r = (struct ipfw_rule_ref *)(tag + 1);
  		*r = fwa->rule;
 -		r->info = dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
 +		r->info &= IPFW_ONEPASS;  /* keep this info */
 +		r->info |= dir ? IPFW_INFO_IN : IPFW_INFO_OUT;
  		m_tag_prepend(m, tag);
  
  	} else
 
 Modified: stable/8/sys/netinet/ipfw/ip_fw2.c
 ==============================================================================
 --- stable/8/sys/netinet/ipfw/ip_fw2.c	Thu Sep 16 15:07:12 2010	(r212737)
 +++ stable/8/sys/netinet/ipfw/ip_fw2.c	Thu Sep 16 15:11:17 2010	(r212738)
 @@ -2084,6 +2084,8 @@ do {								\
  				set_match(args, f_pos, chain);
  				args->rule.info = (cmd->arg1 == IP_FW_TABLEARG) ?
  					tablearg : cmd->arg1;
 +				if (V_fw_one_pass)
 +					args->rule.info |= IPFW_ONEPASS;
  				retval = (cmd->opcode == O_NETGRAPH) ?
  				    IP_FW_NETGRAPH : IP_FW_NGTEE;
  				l = 0;          /* exit inner loop */
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
