From nobody Thu May  8 13:10:44 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZtXYx6WPpz5wJX7;
	Thu, 08 May 2025 13:10:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZtXYx0Mk6z3Lv5;
	Thu, 08 May 2025 13:10:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1746709845;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=17KknKRSWKL8Jt/NEGkJIfroobOK0atpBE2xqDER4QE=;
	b=xHka5FS8cfuFczIRB+r76VH449vDEEvEzxLx9cNpkjBnhbVYUnn1ZYNkY2zz0A4EgBg3BW
	tTkkxzGAGkR7KCtACP2Y36Byvp/JexjjpuY+YEMGT1MtoUIMK/l5SksD8dwvVjmBaVFvMP
	UejQ0wX6+1uVtsQDR2BE1XxljS0DgWiOYBlSYMB2sl15IpeaXASb8kILw/MG0dzFc/5iCY
	27gVFzsz67Sp/E2QXHN2izXCGGukfPhF+mtkVOavhjKTjSm2LRoZa4eX3EVuO9j/eL8MwQ
	jm+FWGoTh+k2INKemAfM6AntFt8O8Ob2/5yJciI54CPXZCD2i3dPZ7Mx9TYZWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1746709845;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=17KknKRSWKL8Jt/NEGkJIfroobOK0atpBE2xqDER4QE=;
	b=tn7+iGweQYtnpyGBDEfSiGfHMQ/uWXulCuaXH1IT/TiZfQb6wJHzoCTjNZkLM2Q+jP0xcC
	tfQl6qWdwNwsfmde6zGEwSBoiwMa5RA11Tr65NyHEH6rscE7c+R3xPxx9iacGs4CHdSBn4
	O9Xez2W43QRyk7bMv+pegSfC8JTQZRnNoKZ63qQw09512/EVWhOgbp5JTDqpoZWLMJ9cPC
	5AV/lzH+mcz236pwz1gaeuCKXKyAmt7yc+1hvinNmRg6CtjhGIElCgGTjIGLCVVnve2Ib6
	b0R3x8ML9Ai8CF3t7C92oVw75Z7+BZV4Fl4DZuYxu43tRaZM9gJatILelAPPXA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1746709845; a=rsa-sha256; cv=none;
	b=YdvPLPE7behF6LFs9ubukJGNZ4ZBGBRjpRL4Q5CTpRQZZZcHRAmivFjsAS3DIctWE80hy2
	vPhU5kxmPf+grd8Qa6TtRuOeP/l7Mb8B/94iTi/PqVobD8UPldwd1iStJZrH7g6hnTwn73
	ruakdNQ9wlHBfpRlvsaH89NhirW4/BoVAsSt2ndwVMnlvOl9fln+2Un1FXczwSCgWoyfQu
	cmv857iPmRh2R0BLcWToxfWoeveVEKMujS4FOZT8pRtn3qe4fXyNPVKFefkw3DHlD+Psws
	geivS1VzTkdDxcJ3J+T/NVTF8m9h99UQ5okbT4T0yTHTUUmYv/EfiCiiUc7RDw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZtXYw6xQ2z1lw;
	Thu, 08 May 2025 13:10:44 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 548DAib9047208;
	Thu, 8 May 2025 13:10:44 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 548DAiUm047205;
	Thu, 8 May 2025 13:10:44 GMT
	(envelope-from git)
Date: Thu, 8 May 2025 13:10:44 GMT
Message-Id: <202505081310.548DAiUm047205@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: b70fadca623f - main - pf: fix dealing with 0 limits
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: b70fadca623f1ce62c34c67270feae6cf48ca4ba
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=b70fadca623f1ce62c34c67270feae6cf48ca4ba

commit b70fadca623f1ce62c34c67270feae6cf48ca4ba
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-05-07 08:43:14 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-05-08 13:10:25 +0000

    pf: fix dealing with 0 limits
    
    uma doesn't like setting a limit on a zone which previously had none.
    At startup pf applies the default limit to all zones, so we can assume a limit
    was always set. We cope with the uma limitation by translating a limit of '0'
    (i.e. unlimited) to INT_MAX. This is high enough that we'll never realistically
    hit this limit, but it keeps uma happy.
    
    Add a test case to provoke this, and while we're here also fix syncookie
    handling of a 0 state limit.
    
    See also:       d53927b0bae45
    Reported-by:    syzbot+02b784f183f79d4c07e4@syzkaller.appspotmail.com
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 lib/libpfctl/libpfctl.c        |  6 +++++
 sys/netpfil/pf/pf_ioctl.c      |  3 ++-
 tests/sys/netpfil/pf/limits.sh | 53 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 271fb33babfe..a4afa26f0afe 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -2271,6 +2271,9 @@ pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s)
 	if (ret != 0)
 		return (ret);
 
+	if (state_limit == 0)
+		state_limit = INT_MAX;
+
 	lim = state_limit;
 	hi = lim * s->highwater / 100;
 	lo = lim * s->lowwater / 100;
@@ -2311,6 +2314,9 @@ pfctl_get_syncookies(int dev, struct pfctl_syncookies *s)
 	if (ret != 0)
 		return (ret);
 
+	if (state_limit == 0)
+		state_limit = INT_MAX;
+
 	bzero(s, sizeof(*s));
 
 	nvl = nvlist_create(0);
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 5c3aec906b79..bd3c2b93c954 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2537,7 +2537,8 @@ pf_ioctl_set_limit(int index, unsigned int limit, unsigned int *old_limit)
 		PF_RULES_WUNLOCK();
 		return (EINVAL);
 	}
-	uma_zone_set_max(V_pf_limits[index].zone, limit);
+	uma_zone_set_max(V_pf_limits[index].zone,
+	    limit == 0 ? INT_MAX : limit);
 	if (old_limit != NULL)
 		*old_limit = V_pf_limits[index].limit;
 	V_pf_limits[index].limit = limit;
diff --git a/tests/sys/netpfil/pf/limits.sh b/tests/sys/netpfil/pf/limits.sh
index 474684bef660..69f0b6af2ccf 100644
--- a/tests/sys/netpfil/pf/limits.sh
+++ b/tests/sys/netpfil/pf/limits.sh
@@ -60,7 +60,60 @@ basic_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "zero" "cleanup"
+zero_head()
+{
+	atf_set descr 'Test changing a limit from zero on an in-use zone'
+	atf_set require.user root
+}
+
+zero_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}b 192.0.2.2/24 up
+
+	vnet_mkjail alcatraz ${epair}a
+	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
+
+	atf_check -s exit:0 -o ignore \
+	    ping -c 3 192.0.2.1
+
+	jexec alcatraz pfctl -e
+	# Set no limit
+	pft_set_rules noflush alcatraz \
+		"set limit states 0" \
+		"pass"
+
+	# Check that we really report no limit
+	atf_check -s exit:0 -o 'match:states        hard limit        0' \
+	    jexec alcatraz pfctl -sa
+
+	# Create a state
+	atf_check -s exit:0 -o ignore \
+	    ping -c 3 192.0.2.1
+
+	# Limit states
+	pft_set_rules noflush alcatraz \
+		"set limit states 1000" \
+		"pass"
+
+	# And create a new state
+	atf_check -s exit:0 -o ignore \
+	    ping -c 3 192.0.2.1
+
+	atf_check -s exit:0 -o 'match:states        hard limit     1000' \
+	    jexec alcatraz pfctl -sa
+}
+
+zero_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "basic"
+	atf_add_test_case "zero"
 }