From nobody@FreeBSD.org  Thu Feb 28 14:05:00 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id 2A54B77
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Feb 2013 14:05:00 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 1735874E
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Feb 2013 14:05:00 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r1SE4x8L034902
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Feb 2013 14:04:59 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r1SE4xF8034901;
	Thu, 28 Feb 2013 14:04:59 GMT
	(envelope-from nobody)
Message-Id: <201302281404.r1SE4xF8034901@red.freebsd.org>
Date: Thu, 28 Feb 2013 14:04:59 GMT
From: Robert Heron <freebsd@heron.pl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfw layer2 problem
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         176503
>Category:       kern
>Synopsis:       [ipfw] ipfw layer2 problem
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 28 14:10:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Tue Jun 18 15:40:00 UTC 2013
>Originator:     Robert Heron
>Release:        9.1R
>Organization:
HERON
>Environment:
FreeBSD server 9.1-RELEASE FreeBSD 9.1-RELEASE #1:   ....   i386
>Description:
I use ipfw firewall with settings:

In Kernel:
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_FORWARD

sysctl:
net.inet.ip.forwarding=1
net.link.ether.ipfw=1

The problem:

I have a rule in my firewall: 

1000 allow ip from any to any layer2 in MAC any any

and when an incoming packet matches this rule it is passed further to the next rule.
'ipfw show' shows, that the packet was matched by this rule and then passed to the next rule.
As described in 'man ipfw' the packet should be accepted by this rule and the search should be terminated, but this doesn't happen.

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Feb 28 14:10:39 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=176503 

From: Ian Smith <smithi@nimnet.asn.au>
To: bug-followup@FreeBSD.org, freebsd@heron.pl
Cc:  
Subject: Re: kern/176503: [ipfw] ipfw layer2 problem
Date: Wed, 19 Jun 2013 01:34:58 +1000

   > net.link.ether.ipfw=1
 
   > 1000 allow ip from any to any layer2 in MAC any any
 
 You don't show the next rule mentioned, but with net.link.ether.ipfw=1 
 (and not bridging) the packet traverses the ruleset up to four times. 
 Your rule 1000 accepts the packet when invoked from ether_demux.  When 
 the packet (thus) gets to ip(6)_input the ruleset is run again at layer 
 3 (IP), which rule 1000 does not match.  It may match any next rule that 
 is not explicitly layer2.  You'll similarly need to pass layer2 packets 
 going 'out', after passing them at layer3.
 
 man ipfw
 /PACKET FLOW
 
 cheers, Ian
>Unformatted:
