From nobody Fri Feb 16 02:11:03 2024 X-Original-To: ipfw@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Tbb542dJQz51s3K for ; Fri, 16 Feb 2024 02:11:04 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Tbb5365jbz43lH for ; Fri, 16 Feb 2024 02:11:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1708049463; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=EnqUzILRRtvBXvdNoTRz0L+GJkU2c/jVkhx3kQJxolY=; b=pwJZ5F+xePfHyzFr9feD9mjILKbgDHNGQYWZEZK4PhTxZbPaqiOmOOX6WSlywJ67p58Kzx sR1PbWoZZrmbS6yP78Xa04HL2evSXg4f4b+uT1rn/gtQg1mi9mkP9jTagcg6Ha12mB1e2b gN4r5U8VAXYI3LLR9iqGdh43Yztrz+RvNSWLkFv+7PSGS/7YnGgUNHvUVtcp0XD4xqTXcw m4gPrO/44apcGv46CkR5YqZN2uA9+VQ8GVkO0HYiLTJBpbroPRjBu/H/h89v+Rc2k7D3j2 hW03Nh24IE0LpqiPlA0CF6JR4RyfwBUWBSACFfWmpBQ6MglAMmBaXn+J4HGkDA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1708049463; a=rsa-sha256; cv=none; b=PdWKksCApYuzEtsrcFLR/5FshkdWiXZx9JiDAYP6XKTgqCXEJzS6ZIHfgKc/J9pKzRunEp 2W3bh63oRMQPpIpf5qTPmozY8+fz8+Lydm4r8QXT5iEHk3q/V3vnlzqD998mt8WjHE1xdV x5WJ6N/T5nujdyhDWt510DEbxR0x2s2av/qEMeHXT80rE5CjTTDHZ69bkACwRzKrVb4lzP Qm1KGKmDwzUciiL4y7U4V7QVY/rjd761UNVLO3f51P74yKAm7P0dfBiihPmxP0o5WRxygm 8WRybElVpKpKRL3NZ/g1UYpRTr3fEtO49H8AJw3keiMOo2g7tk1Lk+siIr0FDQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Tbb5359QZz16G7 for ; Fri, 16 Feb 2024 02:11:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 41G2B3au067408 for ; Fri, 16 Feb 2024 02:11:03 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 41G2B32g067407 for ipfw@FreeBSD.org; Fri, 16 Feb 2024 02:11:03 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 276732] IPFW keep-state rules with untag do not go through parent rule cmd Date: Fri, 16 Feb 2024 02:11:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: IPFW Technical Discussions List-Archive: https://lists.freebsd.org/archives/freebsd-ipfw List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ipfw@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276732 --- Comment #8 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D62b1faa3b7495de22a3225e42dabe6ce8= c371e86 commit 62b1faa3b7495de22a3225e42dabe6ce8c371e86 Author: Karim Fodil-Lemelin AuthorDate: 2024-02-16 01:57:51 +0000 Commit: John Baldwin CommitDate: 2024-02-16 01:57:51 +0000 ipfw: Skip to the start of the loop when following a keep-state rule When a packet matches an existing dynamic rule for a keep-state rule, the matching engine advances the "instruction pointer" to the action portion of the rule skipping over the match conditions. However, the code was merely breaking out of the switch statement rather than doing a continue, so the remainder of the loop body after the switch was still executed. If the first action opcode contains an F_NOT but not an F_OR (such as an "untag" action), then match is toggled to 0, and the code exits the inner loop via a break which aborts processing of the actions. To fix, just use a continue instead of a break. PR: 276732 Reviewed by: jhb, ae MFC after: 2 weeks sys/netpfil/ipfw/ip_fw2.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --=20 You are receiving this mail because: You are the assignee for the bug.=