From nobody Thu Dec 12 17:13:09 2024 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Y8Jw50PxSz5gW9m; Thu, 12 Dec 2024 17:13:41 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp052.goneo.de (smtp052.goneo.de [85.220.129.60]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Y8Jw45PsSz4qLD; Thu, 12 Dec 2024 17:13:40 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Authentication-Results: mx1.freebsd.org; none Received: from hub1.goneo.de (hub1.goneo.de [IPv6:2001:1640:5::8:52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp5.goneo.de (Postfix) with ESMTPS id E1FC124098D; Thu, 12 Dec 2024 18:13:38 +0100 (CET) Received: from hub1.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPS id 16ADD2402D8; Thu, 12 Dec 2024 18:13:37 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1734023617; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Mwr9BR4LbDSA5z91tOxKB61kr++W2bPEdvC7wcNho6w=; b=AyaD1TZo/rcPQ6jA47j2PESs3TN4h6uD4s9qkCraYlumWqgx5EFite9eeaPscTqnknczM4 xojObUNBQhnN7dJUI8rFWT9ox22QbKHgWWPSftfIZgOs2plJ3QqDYcgx8r8e0wF76Ub/M+ 1iTKzmUu/FWvLrVJuo1bWBH59AWufLnIAeQGpqSk9sx6YMKqCtGopmH24vStKuE5p/T2eI kJwIV14XZJbF0loB4quhra4ArTS8de8W5Tn3bAdqn/3cC0bOO4mVXWVnrlc/mzdd6czMqI dom2oIZLtwMWTd/F78fuGd2SUkD5r3EehdbhhhMHYqE4aLUQWS5geEb1+jF/+w== Received: from thor.intern.walstatt.dynvpn.de (dynamic-078-055-054-119.78.55.pool.telefonica.de [78.55.54.119]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPSA id BB0932402D7; Thu, 12 Dec 2024 18:13:36 +0100 (CET) Date: Thu, 12 Dec 2024 18:13:09 +0100 From: FreeBSD User To: "Andrey V. Elsukov" Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org, freebsd-current@freebsd.org Subject: Re: git: 9ea8d692f4cb - main - ipfw: use only needed TCP flags for state tracking Message-ID: <20241212181336.01db53f2@thor.intern.walstatt.dynvpn.de> In-Reply-To: <202412121306.4BCD6sqR017458@gitrepo.freebsd.org> References: <202412121306.4BCD6sqR017458@gitrepo.freebsd.org> Organization: walstatt-de.de List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-UID: db1dde X-Rspamd-UID: 3f15e0 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE] X-Rspamd-Queue-Id: 4Y8Jw45PsSz4qLD X-Spamd-Bar: ---- Am Thu, 12 Dec 2024 13:06:54 GMT "Andrey V. Elsukov" schrieb: > The branch main has been updated by ae: > > URL: https://cgit.FreeBSD.org/src/commit/?id=9ea8d692f4cb552902b9e8394260d7f3cf4aefb0 > > commit 9ea8d692f4cb552902b9e8394260d7f3cf4aefb0 > Author: Andrey V. Elsukov > AuthorDate: 2024-12-12 12:57:45 +0000 > Commit: Andrey V. Elsukov > CommitDate: 2024-12-12 12:57:45 +0000 > > ipfw: use only needed TCP flags for state tracking > > This fixes stateful firewall failures after adding TH_AE flag > into TH_FLAGS. > > Reported by: ronald > Fixes: 347dd05 > MFC after: 2 weeks > --- > sys/netpfil/ipfw/ip_fw_dynamic.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c > index 34aae71c174b..ff55e3360c13 100644 > --- a/sys/netpfil/ipfw/ip_fw_dynamic.c > +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c > @@ -920,7 +920,8 @@ print_dyn_rule_flags(const struct ipfw_flow_id *id, int dyn_type, > #define _SEQ_GE(a,b) ((int)((a)-(b)) >= 0) > #define BOTH_SYN (TH_SYN | (TH_SYN << 8)) > #define BOTH_FIN (TH_FIN | (TH_FIN << 8)) > -#define TCP_FLAGS (TH_FLAGS | (TH_FLAGS << 8)) > +#define BOTH_RST (TH_RST | (TH_RST << 8)) > +#define TCP_FLAGS (BOTH_SYN | BOTH_FIN | BOTH_RST) > #define ACK_FWD 0x00010000 /* fwd ack seen */ > #define ACK_REV 0x00020000 /* rev ack seen */ > #define ACK_BOTH (ACK_FWD | ACK_REV) > The problem reported is now also present in 14-STABLE! -- O. Hartmann