From nobody@FreeBSD.org  Fri Jan 13 23:43:14 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B248016A420
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 13 Jan 2006 23:43:14 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1AC4243D46
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 13 Jan 2006 23:43:13 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k0DNhCdc071441
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 13 Jan 2006 23:43:12 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k0DNhCZS071437;
	Fri, 13 Jan 2006 23:43:12 GMT
	(envelope-from nobody)
Message-Id: <200601132343.k0DNhCZS071437@www.freebsd.org>
Date: Fri, 13 Jan 2006 23:43:12 GMT
From: Tijmen Ramakers <tijmen@tijmen.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfilter: wrong behaviour with skip rule inside a group with a 'quick' head
X-Send-Pr-Version: www-2.3

>Number:         91777
>Category:       kern
>Synopsis:       [ipfilter] [patch] wrong behaviour with skip rule inside an ipfilter group with a 'quick' head
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    cy
>State:          suspended
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 13 23:50:06 GMT 2006
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:19:05 UTC 2013
>Originator:     Tijmen Ramakers
>Release:        6.0-RELEASE
>Organization:
>Environment:
FreeBSD kitana.tijmen.net 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Fri Nov 11 00:37:21 UTC 2005     root@kitana.tijmen.net:/usr/src/sys/i386/compile/KITANA  i386
              
>Description:
Inside a group of a rule set whose head rule uses the 'quick' option, a matching skip rule seems to end the processing of the group.

ipf was compiled into the kernel (not as a module) using the IPFILTER and IPFILTER_LOG options.

ipf -V output: 

ipf: IP Filter: v4.1.8 (416)
Kernel: IP Filter: v4.1.8
Running: yes
Log Flags: 0x20000000 = block
Default: block all, Logging: available
Active list: 1
              
Consider the following simple ruleset:

@0:1    block out quick on de0 head 100
@100:1  skip 1 out group 100
@100:2  block out quick group 100
@100:3  pass out quick group 100

Expected behaviour for an outbound packet on de0 would be:
1. rule @0:1 matches, branch into group 100
2. rule @100:1 matches, skip over @100:2 to @100:3
3. rule @100:3 matches, with the quick option

So, the packet should be passed. However, it is not. In the ipfmon logging you see that the packet gets blocked on rule @100:1, using ipfstat -honR you see that only rules @0:1 and @100:1 have matched.

However, if you leave out the 'quick' in @0:1, the rule does gets processed as expected. According to the ipf manpage and the "IP Filter FAQ", the 'quick' in the head rule is only relevant in case none of the group's rules match. 

I noticed this when after upgrading from 5.2.1 to 6.0, my firewall config didn't work anymore. Haven't seen any mention of this change in behaviour anywhere.




>How-To-Repeat:
See problem description. 


>Fix:
              
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Sun Jan 15 01:07:24 UTC 2006 
Responsible-Changed-Why:  
Assign to ipfilter maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91777 
State-Changed-From-To: open->feedback 
State-Changed-By: darrenr 
State-Changed-When: Mon Feb 27 07:02:52 UTC 2006 
State-Changed-Why:  
patch available 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91777 

From: Gleb Smirnoff <glebius@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/91777
Date: Mon, 27 Feb 2006 10:34:57 +0300

 Attach to PR.
 
 ----- Forwarded message from Darren Reed <darrenr@freebsd.org> -----
 
 Patch below.
 
 Darren
 
 --- fil.c       31 Dec 2005 13:35:42 -0000      2.243.2.73
 +++ fil.c       26 Feb 2006 09:57:58 -0000
 @@ -2021,18 +2020,20 @@
                 (void) strncpy(fin->fin_group, fr->fr_group, FR_GROUPLEN);
                 if (fr->fr_grp != NULL) {
                         fin->fin_fr = *fr->fr_grp;
 -                       pass = fr_scanlist(fin, pass);
 +                       passt = fr_scanlist(fin, pass);
                         if (fin->fin_fr == NULL) {
                                 fin->fin_rule = rulen;
                                 (void) strncpy(fin->fin_group, fr->fr_group,
                                                FR_GROUPLEN);
                                 fin->fin_fr = fr;
 +                               passt = pass;
                         }
                         if (fin->fin_flx & FI_DONTCACHE)
                                 logged = 1;
 +                       pass = passt;
                 }
  
 -               if (pass & FR_QUICK) {
 +               if (passt & FR_QUICK) {
                         /*
                          * Finally, if we've asked to track state for this
                          * packet, set it up.  Add state for "quick" rules
 ----- End forwarded message -----
State-Changed-From-To: feedback->suspended 
State-Changed-By: linimon 
State-Changed-When: Sun Mar 2 02:38:29 UTC 2008 
State-Changed-Why:  
Feedback was received quite some time ago.  Mark this as suspended since 
it does not seem as though it is being worked on. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91777 
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:18:46 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=91777 
>Unformatted:
