[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    nomatch rule behave the same as block
From:       Ming Fu <fming () borderware ! com>
Date:       2008-10-15 19:59:38
Message-ID: 26629_1224101482_48F64E6A_26629_8340_1_48F64BAA.6010800 () borderware ! com
[Download RAW message or body]

Hi,

I am working on FreeBSD 6.3, I compile the default rule as PASS.

the following nomatch rule blocks ICMP that matches it, the behavior is 
difference from FreeBSD 4.x where nomatch is as if the packet didn't 
match any rules.

    block in quick on vr0 proto icmp from any to 10.1.253.55
    nomatch in quick on vr0 proto icmp from any to 10.1.0.1

I added a printf just before the fr_check() is about to return. I found 
the value of pass in three difference cases:

    ping 10.1.0.2   /* this will not match any rule */
          pass value is 0x8000002    /* both pass and nomatch bit were 
set */

    ping 10.1.0.1  /* match nomatch in quick on vr0 proto icmp from any 
to 10.1.0.1 */
          pass value is 0x48008100  /* only nomatch bit was set */

    ping 10.1.253.55 /* match a block rule */
          pass value is 0x40008101  /* block is set, but nomatch and 
pass were off */

The code at finish: will drop the mbuf causing an effective block on the 
packet.
finished:
    if (!FR_ISPASS(pass)) {
        ATOMIC_INCL(frstats[out].fr_block);
        if (*mp != NULL) {
            FREE_MB_T(*mp);
            m = *mp = NULL;
        }

Anyone know if this is the desired effect?

Regards,
Ming





[prev in list] [next in list] [prev in thread] [next in thread]