From dunstan@freebsd.czest.pl  Tue Feb 15 19:58:14 2005
Return-Path: <dunstan@freebsd.czest.pl>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5F55916A4CE
	for <FreeBSD-gnats-submit@FreeBSD.org>; Tue, 15 Feb 2005 19:58:14 +0000 (GMT)
Received: from freebsd.czest.pl (silver.iplus.pl [80.48.250.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AF89F43D60
	for <FreeBSD-gnats-submit@FreeBSD.org>; Tue, 15 Feb 2005 19:58:12 +0000 (GMT)
	(envelope-from dunstan@freebsd.czest.pl)
Received: from freebsd.czest.pl (freebsd.czest.pl [80.48.250.4])
	by freebsd.czest.pl (8.12.10/8.12.9) with ESMTP id j1FK3a9r018776
	for <FreeBSD-gnats-submit@FreeBSD.org>; Tue, 15 Feb 2005 20:03:36 GMT
	(envelope-from dunstan@freebsd.czest.pl)
Received: (from dunstan@localhost)
	by freebsd.czest.pl (8.12.10/8.12.9/Submit) id j1FK3ZDm018775;
	Tue, 15 Feb 2005 20:03:35 GMT
	(envelope-from dunstan)
Message-Id: <200502152003.j1FK3ZDm018775@freebsd.czest.pl>
Date: Tue, 15 Feb 2005 20:03:35 GMT
From: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
Reply-To: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc:
Subject: [PATCH] ipfw: Multiple rules may have the same number.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         77570
>Category:       kern
>Synopsis:       [PATCH] ipfw: Multiple rules may have the same number.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 15 20:00:46 GMT 2005
>Closed-Date:    Sat Jul 02 13:10:37 GMT 2005
>Last-Modified:  Sat Jul 02 13:10:37 GMT 2005
>Originator:     Wojciech A. Koszek
>Release:        FreeBSD 5.3-STABLE i386
>Organization:
>Environment:
System: FreeBSD dunstan.freebsd.czest.pl 5.3-STABLE FreeBSD 5.3-STABLE #0: Sat Feb 12 11:15:23 CET 2005 root@dunstan.freebsd.czest.pl:/usr/obj/usr/src/sys/HOME6 i386

This problem exists in either -STABLE or -CURRENT.

>Description:
There is a problem while inserting ipfw2 rule with specified rule number.

	# ipfw add <num> <action>

While executing this command N times, it will add N rules with the same
number <num>. I don't really like this behaviour, since rule number has to
represent the unique rule.

>How-To-Repeat:

This problem may be easily reproduced:

# ipfw add 100 allow all from any to any 
00100 allow ip from any to any
# ipfw add 100 allow all from any to any
00100 allow ip from any to any
# ipfw add 100 allow all from any to any
00100 allow ip from any to any
# ipfw show | grep 00100
00100 0   0 allow ip from any to any
00100 0   0 allow ip from any to any
00100 0   0 allow ip from any to any

>Fix:
Attached patch [diff.0.ipfw2] should correct this problem. It also adds predefinition of
remove_rule(), because after applying this patch, add_rule() requires it.

--- diff.0.ipfw2 begins here ---
Patch against FreeBSD 5.3-STABLE, kern.osreldate: 503102.

diff -upr /usr/src/sys/netinet/ip_fw2.c src/sys/netinet/ip_fw2.c
--- /usr/src/sys/netinet/ip_fw2.c	Sat Feb 12 09:36:43 2005
+++ src/sys/netinet/ip_fw2.c	Tue Feb 15 20:11:17 2005
@@ -104,6 +104,9 @@ static struct callout ipfw_timeout;
 static uma_zone_t ipfw_dyn_rule_zone;
 #define	IPFW_DEFAULT_RULE	65535
 
+static struct ip_fw *
+remove_rule(struct ip_fw_chain *, struct ip_fw *, struct ip_fw *);
+
 /*
  * Data structure to cache our ucred related
  * information. This structure only gets used if
@@ -2599,7 +2602,19 @@ add_rule(struct ip_fw_chain *chain, stru
 	 * Now insert the new rule in the right place in the sorted list.
 	 */
 	for (prev = NULL, f = chain->rules; f; prev = f, f = f->next) {
-		if (f->rulenum > rule->rulenum) { /* found the location */
+		if (f->rulenum == rule->rulenum) { /* exact match */
+			rule->next = f->next;
+			(void) remove_rule(chain, f, prev);
+			if (prev != NULL) {
+				prev->next = rule;
+			}
+			else { /* head insert */
+				rule->next = chain->rules;
+				chain->rules = rule;
+			}
+			break;
+		}
+		else if (f->rulenum > rule->rulenum) { /* found the location */
 			if (prev) {
 				rule->next = f;
 				prev->next = rule;
--- diff.0.ipfw2 ends here ---

>Release-Note:
>Audit-Trail:

From: Maxim Konovalov <maxim@macomnet.ru>
To: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
Cc: bug-followup@freebsd.org
Subject: Re: kern/77570: [PATCH] ipfw: Multiple rules may have the same
 number.
Date: Wed, 16 Feb 2005 11:17:34 +0300 (MSK)

 Hi Wojciech,
 
 > >Description:
 > There is a problem while inserting ipfw2 rule with specified rule number.
 >
 > 	# ipfw add <num> <action>
 >
 > While executing this command N times, it will add N rules with the same
 > number <num>. I don't really like this behaviour, since rule number has to
 > represent the unique rule.
 >
 > >How-To-Repeat:
 >
 > This problem may be easily reproduced:
 >
 > # ipfw add 100 allow all from any to any
 > 00100 allow ip from any to any
 > # ipfw add 100 allow all from any to any
 > 00100 allow ip from any to any
 > # ipfw add 100 allow all from any to any
 > 00100 allow ip from any to any
 > # ipfw show | grep 00100
 > 00100 0   0 allow ip from any to any
 > 00100 0   0 allow ip from any to any
 > 00100 0   0 allow ip from any to any
 >
 > >Fix:
 > Attached patch [diff.0.ipfw2] should correct this problem. It also adds predefinition of
 > remove_rule(), because after applying this patch, add_rule() requires it.
 
 Well, sorry, I really hate your patch :-)  This is the way ipfw(8) was
 designed and works in RELENG_*.  It seems for me we gonna break
 zillion ipfw installations with this patch.  "Tools not policy".
 
 Would you mind if I close this PR?
 
 -- 
 Maxim Konovalov

From: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/77570: [PATCH] ipfw: Multiple rules may have the same number.
Date: Wed, 16 Feb 2005 15:00:19 +0000

 On Wed, Feb 16, 2005 at 11:17:34AM +0300, Maxim Konovalov wrote:
 
 [..]
 > Well, sorry, I really hate your patch :-)  This is the way ipfw(8) was
 > designed and works in RELENG_*.  It seems for me we gonna break
 > zillion ipfw installations with this patch.  "Tools not policy".
 > 
 > Would you mind if I close this PR?
 
 Hi Maxim,
 
 I thought it was some kind of a side effect in rule manipulation code, but
 if some reasons push people to use this feature, feel free to close this PR
 (and thanks for reaction).
 
 Cheers,
 -- 
 * Wojciech A. Koszek && dunstan@FreeBSD.czest.pl

From: Maxim Konovalov <maxim@macomnet.ru>
To: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
Cc: bug-followup@freebsd.org
Subject: Re: kern/77570: [PATCH] ipfw: Multiple rules may have the same
 number.
Date: Wed, 16 Feb 2005 18:12:41 +0300 (MSK)

 >  Hi Maxim,
 >
 >  I thought it was some kind of a side effect in rule manipulation code, but
 >  if some reasons push people to use this feature, feel free to close this PR
 >  (and thanks for reaction).
 
 This is just my opinion.  I'd suggest to discuss your patch in -net or
 -ipfw maillists and ask people what they think.
 
 -- 
 Maxim Konovalov
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: arved 
Responsible-Changed-When: Mon Jun 6 16:50:01 GMT 2005 
Responsible-Changed-Why:  
Maxim suggested discussion on -ipfw Mailinglist. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77570 

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: bug-followup@FreeBSD.org, dunstan@freebsd.czest.pl, maxim@macomnet.ru
Cc:  
Subject: Re: kern/77570: [PATCH] ipfw: Multiple rules may have the same number.
Date: Sat, 2 Jul 2005 14:51:17 +0400

 Folks,
 
 Sorry, I haven't looked at how the discussion on freebsd-ipfw is
 going on ;-) but I can tell for myself that I consider having this
 "bug" in ipfw very useful.  I use it often when I have to add some
 rules to a firewall temporarily and then remove them after a while.
 I add the temporary rules with the same rule number and then just
 type "ipfw d <number>" once instead of having to remove each rule
 separately, which would be the case if the "bug" were "fixed".
 
 OTOH, thou shouldst abstain from messing with ipfw while having
 the morning cloudiness in thy mind and tremor in thy hands ;-)))
 
 Therefore I vote for closing this PR after making sure the current
 behaviour is well documented on the ipfw(8) manpage.
 
 -- 
 Yar
State-Changed-From-To: open->closed 
State-Changed-By: maxim 
State-Changed-When: Sat Jul 2 12:49:16 GMT 2005 
State-Changed-Why:  
The proposed ipfw behaviour will hurt, break POLA, induce tsunami, 
pandemics, economic disasters, nuclear war and end with the 
Armageddon. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=77570 
>Unformatted:
