Date: Fri, 16 Feb 2024 02:11:03 +0000 From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 276732] IPFW keep-state rules with untag do not go through parent rule cmd Message-ID: <bug-276732-8303-pTtNdfAoqx@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-276732-8303@https.bugs.freebsd.org/bugzilla/> References: <bug-276732-8303@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276732 --- Comment #8 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D62b1faa3b7495de22a3225e42dabe6ce8= c371e86 commit 62b1faa3b7495de22a3225e42dabe6ce8c371e86 Author: Karim Fodil-Lemelin <kfl@xiplink.com> AuthorDate: 2024-02-16 01:57:51 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2024-02-16 01:57:51 +0000 ipfw: Skip to the start of the loop when following a keep-state rule When a packet matches an existing dynamic rule for a keep-state rule, the matching engine advances the "instruction pointer" to the action portion of the rule skipping over the match conditions. However, the code was merely breaking out of the switch statement rather than doing a continue, so the remainder of the loop body after the switch was still executed. If the first action opcode contains an F_NOT but not an F_OR (such as an "untag" action), then match is toggled to 0, and the code exits the inner loop via a break which aborts processing of the actions. To fix, just use a continue instead of a break. PR: 276732 Reviewed by: jhb, ae MFC after: 2 weeks sys/netpfil/ipfw/ip_fw2.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276732-8303-pTtNdfAoqx>