From eugen@grosbein.pp.ru  Fri Apr 18 10:05:12 2003
Return-Path: <eugen@grosbein.pp.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 670F337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 18 Apr 2003 10:05:12 -0700 (PDT)
Received: from grosbein.pp.ru (D00015.dialonly.kemerovo.su [213.184.66.105])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6236743F93
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 18 Apr 2003 10:03:48 -0700 (PDT)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (smmsp@localhost [127.0.0.1])
	by grosbein.pp.ru (8.12.9/8.12.7) with ESMTP id h3IH3Xo6002448
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 19 Apr 2003 01:03:33 +0800 (KRAST)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.12.9/8.12.9/Submit) id h3IH04O1002397;
	Sat, 19 Apr 2003 01:00:04 +0800 (KRAST)
Message-Id: <200304181700.h3IH04O1002397@grosbein.pp.ru>
Date: Sat, 19 Apr 2003 01:00:04 +0800 (KRAST)
From: Eugene Grosbein <eugen@grosbein.pp.ru>
To: FreeBSD-gnats-submit@freebsd.org
Subject: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         51132
>Category:       kern
>Synopsis:       kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 18 10:10:13 PDT 2003
>Closed-Date:    Tue Jul 08 01:59:01 PDT 2003
>Last-Modified:  Tue Jul 08 01:59:01 PDT 2003
>Originator:     Eugene Grosbein
>Release:        FreeBSD 4.8-RC i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD gw3.svzserv.kemerovo.su 4.8-RC FreeBSD 4.8-RC #0: Wed Apr 2 12:05:11 KRAST 2003 sa@gw3.svzserv.kemerovo.su:/home/obj/usr/src/sys/GW3 i386
	ipfw1

>Description:

	One of my routers has gif tunnel with another FreeBSD 4.8-RC system.
	The gif0 has 'inet 172.20.15.14' and works nice.
	The other side of the tunnel has 'inet 172.20.15.13'

	Now I'm trying to implement policy routing and direct
	all transit traffic coming from rl0 into the tunnel. So I use

	ipfw add 2000 fwd 172.20.15.13 ip from any to not me via rl0 in.

	It does NOT match any packet while 'to any via rl0 in' does.
	The workaround is to avoid using 'to not me' here.

	Let's see ipfw show and look at bad things:

01990     20      940 deny ip from any to me
01993      0        0 count ip from any to me in recv rl0
01995      0        0 fwd 172.20.15.13 ip from any to not me in recv rl0
02000 109658  5813420 fwd 172.20.15.13 ip from any to any in recv rl0
65000 295571 40747130 allow ip from any to any

	The rule 1990 blocks 'to me' packets via rl0.

	The rule 1995 is the one that should match other packets,
	it does not. The rule 2000 is here as workaround.

>How-To-Repeat:

	See above.

>Fix:

	Unknown to me.
	The workaroung is not to use 'to not me' in such cases.

Eugene Grosbein

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ipfw 
Responsible-Changed-By: johan 
Responsible-Changed-When: Tue May 6 12:49:32 PDT 2003 
Responsible-Changed-Why:  
Over to maintainer group. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51132 

From: "Simon L. Nielsen" <simon@nitro.dk>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/51132: kernel part of ipfw1 processes 'to not me in recv rl0' incorrectly
Date: Tue, 6 May 2003 22:08:54 +0200

 --BOKacYhQ+x31HxR3
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 Note that this was discussed on freebsd-net in the following thread :
 
 http://www.freebsd.org/cgi/getmsg.cgi?fetch=3D29964+0+/usr/local/www/db/tex=
 t/2003/freebsd-net/20030427.freebsd-net
 
 Two fixes were proposed but none of them were apparently committed.
 
 --=20
 Simon L. Nielsen
 
 --BOKacYhQ+x31HxR3
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.1 (FreeBSD)
 
 iD8DBQE+uBZW8kocFXgPTRwRAjKjAKCMkBxM9CP0+fmtxpMoQ2H6f4mnhQCfSkEW
 Rv9Hyzrr8WUChLe/xSLOxqw=
 =iKtp
 -----END PGP SIGNATURE-----
 
 --BOKacYhQ+x31HxR3--
State-Changed-From-To: open->closed 
State-Changed-By: luigi 
State-Changed-When: Tue Jul 8 01:56:31 PDT 2003 
State-Changed-Why:  
ipfw1 has never supported 'not me' correctly, so it cannot be 
a concern for backward compatibility. 

ipfw2 does support 'not me' 


http://www.freebsd.org/cgi/query-pr.cgi?pr=51132 
>Unformatted:
