netbsd-bugs: Re: bin/30400: ipf log dup-to bug

Subject: Re: bin/30400: ipf log dup-to bug
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Bernd Ernesti <netbsd@lists.veego.de>
List: netbsd-bugs
Date: 06/12/2005 18:19:01

The following reply was made to PR bin/30400; it has been noted by GNATS.

From: Bernd Ernesti <netbsd@lists.veego.de>
To: Patrick Welche <prlw1@newn.cam.ac.uk>
Cc: gnats-bugs@NetBSD.org
Subject: Re: bin/30400: ipf log dup-to bug
Date: Sun, 12 Jun 2005 20:17:59 +0200

 On Sun, Jun 12, 2005 at 06:55:05PM +0100, Patrick Welche wrote:
 > On Sun, Jun 12, 2005 at 12:26:20AM +0200, Bernd Ernesti wrote:
 [..]
 > > To quote the part which you missed again:
 > > 
 > > .. and has no effect on whether the packet will be allowed through the filter.
 > 
 > To quote the part which you missed again:
 > 
 >   log out on rtk0 dup-to xi0 all
 >                   ^^^^^^^^^^
 
 PLEASE, read the manpage for ipf(5) again:
 
 GRAMMAR
        The  format  used  by  ipf  for  construction of filtering rules can be
        described using the following grammar in BNF:
        filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
                   [ proto ] ip [ group ].
 
        insert    = "@" decnumber .
        action    = block | "pass" | log | "count" | skip | auth | call .
 [..]
 ACTIONS
        The  action indicates what to do with the packet if it matches the rest
        of the filter rule. Each  rule  MUST  have  an  action.  The  following
        actions are recognised:
 [..]
        pass   will flag the packet to be let through the filter.
 
        log    causes the packet to be logged (as described in the LOGGING sec-
               tion  below)  and  has  no  effect on whether the packet will be
               allowed through the filter.
 
 > > log as an action just does logging and nothing more.
 > 
 > Of course the above rule doesn't say anything about whether or not a packet
 > leaves rtk0, and just logs the packet to /dev/ipl.
 
 log != pass
 
 Thats just LOGGING, nothing which allows it to pass this rule.
 
 You allways have to use a 'pass' action if you want to packet to proceed.
 
 There is also a option 'log' but that has to come AFTER the 'in' or 'out'.
 
 > You haven't explained to me why no packet leaves xi0.
 
 Read what I said above.
 
 The 'log' action is not a 'pass' action.
 
 Bernd