Hi,
I was playing with tables and found a odd case. It may be a known issue, but I couldn't find it in the documentation.
I have a bridging firewall with the table definition
table <bcast_default> const { 255.255.255.255/32, 0.0.0.0/32}
and a rule to allow outgoing dhcp:
pass out log quick on $EXT_IF proto udp from <bcast_default> port bootpc to <bcast_default> port bootps
The trouble is that this rule is never matched by a packet with src 0.0.0.0 : 68 and dest
255.255.255.255 : 67 (bootps is port 67, bootpc is port 68).
The origin of the trouble seems to be the handling of 0.0.0.0 in a table.
The rules
pass out log quick on $EXT_IF proto udp from 0.0.0.0 port bootpc to <bcast_default> port bootps
pass out log quick on $EXT_IF proto udp from { 0.0.0.0, 255.255.255.255 } port bootpc to <bcast_default> port bootps
match, while
pass out log quick on $EXT_IF proto udp from <bcast_default> port bootpc to 255.255.255.255 port bootps
fails.
This is sort of what you would expect if the radix tree code were copied from the
routing part of the network stack, since 0.0.0.0 is the special default address.
While this is easy to work around, it should probably be written down in the FAQ.
It's not too hard to be bitten by this if you're doing a lot of work with bridging
firewalls. If you tell me an appropriate place, I'll draft a patch to the FAQ.
Best Wishes, Greg
Gregory Wright Antiope Associates LLC
[EMAIL PROTECTED]
