Date: Sun, 25 Aug 2019 04:56:42 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 238796] ipfilter: failure to detect the same rules when arguments ordered differently Message-ID: <bug-238796-7501-rPVcIKqCB6@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-238796-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-238796-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238796 --- Comment #41 from commit-hook@freebsd.org --- A commit references this bug: Author: cy Date: Sun Aug 25 04:56:35 UTC 2019 New revision: 351470 URL: https://svnweb.freebsd.org/changeset/base/351470 Log: MFC r350880: r272552 applied the patch from ipfilter upstream fil.c r1.129 to fix broken ipfilter rule matches (upstream bug #554). The upstream patch was incomplete, it resolved all but one rule compare issue. The issue fixed here is when "{to, reply-to, dup-to} interface" are used in conjuncion with "on interface". The match was only made if the on keyword was specified in the same order in each case referencing the same rule. This commit fixes this. The reason for this is that interface name strings and comment keyword comments are stored in a a variable length field starting at fr_names in the frentry struct. These strings are placed into this variable length in the order they are encountered by ipf_y.y and indexed through index pointers in fr_ifnames, fr_comment or one of the frdest struct fd_name fields. (Three frdest structs are within frentry.) Order matters and this patch takes this into account. While in here it was discovered that though ipfilter is designed to pport multiple interface specifiations per rule (up to four), this undocumented (the man page makes no mention of it) feature does not work. A todo is to fix the multiple interfaces feature at a later date. To understand the design decision as to why only four were intended, it is suspected that the decision was made because Sun workstations and PCs rarely if ever exceeded four NICs at the time, this is not true in 2019. PR: 238796 Reported by: WHR <msl0000023508@gmail.com> Changes: _U stable/11/ stable/11/sys/contrib/ipfilter/netinet/fil.c stable/11/sys/contrib/ipfilter/netinet/ip_fil.h _U stable/12/ stable/12/sys/contrib/ipfilter/netinet/fil.c stable/12/sys/contrib/ipfilter/netinet/ip_fil.h --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238796-7501-rPVcIKqCB6>