Hi,
I am working on FreeBSD 6.3, I compile the default rule as PASS.
the following nomatch rule blocks ICMP that matches it, the behavior is
difference from FreeBSD 4.x where nomatch is as if the packet didn't
match any rules.
block in quick on vr0 proto icmp from any to 10.1.253.55
nomatch in quick on vr0 proto icmp from any to 10.1.0.1
I added a printf just before the fr_check() is about to return. I found
the value of pass in three difference cases:
ping 10.1.0.2 /* this will not match any rule */
pass value is 0x8000002 /* both pass and nomatch bit were
set */
ping 10.1.0.1 /* match nomatch in quick on vr0 proto icmp from any
to 10.1.0.1 */
pass value is 0x48008100 /* only nomatch bit was set */
ping 10.1.253.55 /* match a block rule */
pass value is 0x40008101 /* block is set, but nomatch and
pass were off */
The code at finish: will drop the mbuf causing an effective block on the
packet.
finished:
if (!FR_ISPASS(pass)) {
ATOMIC_INCL(frstats[out].fr_block);
if (*mp != NULL) {
FREE_MB_T(*mp);
m = *mp = NULL;
}
Anyone know if this is the desired effect?
Regards,
Ming
