From nobody Sun Aug  3 09:59:30 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bvwC62f7qz638X9;
	Sun, 03 Aug 2025 09:59:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bvwC61l99z3sP0;
	Sun, 03 Aug 2025 09:59:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1754215170;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9dCf7Qv52Co+Anor7Kxi/sEKbKKdZ/Qe/GB13JpWB8c=;
	b=ltKHdeeG1VlWc0EGXyjRmFwN700OEUHe3Fec8LTjslKoCvpttJLbAsW8559MP1Ozx5Zjkl
	yIEQ8xjrlXzXTOA+BLF/w3flldDP1hmGPU3lNJA6hlJPScRA8n/3XWEP5fIi1RLhFJOAw1
	lzOZsPsyAjgPCkseljbOkCkXLVXrFehq5ouYSwcoOGr2pqCHvWYyyWWqmTGT4Guzdz42GG
	dK6Ef0bzzVzj72khiu8cJ4wPUF8UGZ2sfhKe8JJvjBYMAv5WX2ccd1cXwLvOrWVz/iAVWi
	XoZHqiWH+PrM8vnOZgY2wKz72I+toh02bgXfzZgB191GVb2e8R1ixjMyGahREg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1754215170;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9dCf7Qv52Co+Anor7Kxi/sEKbKKdZ/Qe/GB13JpWB8c=;
	b=LAC+J3NEf9xkp9B5L59+B3deS0wAX3uYIrkMO0nERX4SuIiZcdM84tFWAXnQk4ANso0aSU
	cIqqoyet0EVFQrj/BE3XnTWDEL6qneP3MvmxrADqq2imRVHaaa0TVfd3cdz97OfVEKHpIa
	wl+ZUKXSJ2DGQB2jGMLjxw5Eqcwd06jntabluWg+iPyzpm3LAP6NjEoCcyRNqgTQcILynH
	zlvYMKMBuwK67WhssOb1wUUFbgCI3VbDWrl9GeOeetxzCGO8oQYxXs7+DWkCOg8QF4fw86
	BeZjz56SSt851PwD5Cuz347Mi8qYwre5SSu9kjQfELUkFshriWZUarY7d3rn7A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754215170; a=rsa-sha256; cv=none;
	b=h9/BM+FWB8QFmRspVJ4fTy7hZp+GS0JmkxFCFqpIKDkrahlNT7EYixJUB2YvZ6b7bnxfgO
	HGHrasXIBQsnJzl+VFdu6C2LxkFWJKPvKMJPEhAvgCB8kZ2Vx3Fcj5Yf5S+8AMqCeLAN7n
	KJbNfq9CTxtS6UNWnmWEsXna4Uy/RUzTi8Ky1p7CJk1oVikTKE7Yjcr0kPz9cVBjXMJZPV
	Xm6VSHivsNbMV/ZjdLD/D8WGMrMTJmYasXp6AN3ueeT+SQfAAQ8XPJ1egw5rXBqDAZcqce
	478Wqy0wLlhlaQ22Or1WTS4cEyDDMaUUQFhK0BK8hGc3Vfcj6YF4tIm9K7A99w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bvwC61Gn0zyWs;
	Sun, 03 Aug 2025 09:59:30 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 5739xU9h077029;
	Sun, 3 Aug 2025 09:59:30 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 5739xUjn077026;
	Sun, 3 Aug 2025 09:59:30 GMT
	(envelope-from git)
Date: Sun, 3 Aug 2025 09:59:30 GMT
Message-Id: <202508030959.5739xUjn077026@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Subject: git: 3b67473b9757 - main - ipfw: add additional handling
  for orphaned states
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ae
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 3b67473b97574d13eef8302c61c7245b3b3c52c1
Auto-Submitted: auto-generated

The branch main has been updated by ae:

URL: https://cgit.FreeBSD.org/src/commit/?id=3b67473b97574d13eef8302c61c7245b3b3c52c1

commit 3b67473b97574d13eef8302c61c7245b3b3c52c1
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2025-07-22 08:12:36 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2025-08-03 09:54:39 +0000

    ipfw: add additional handling for orphaned states
    
    When parent rule of dynamic state is deleted and
    net.inet.ip.fw.dyn_keep_states is enabled, dynamic states are kept
    working and such states are called ORPHANED.
    Orphaned states still keep pointer to original parent rule. And in
    case when rule action is skipto this can lead to unpredictable
    consequences. To avoid this problem add special handling for skipto
    action when we have found ORPHANED state.
    Check that new rule has the same opcode and skipto number for
    O_SKIPTO rule action.
    
    Obtained from:  Yandex LLC
    Sponsored by:   Yandex LLC
    Differential Revision: https://reviews.freebsd.org/D51459
---
 sys/netpfil/ipfw/ip_fw_dynamic.c | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c
index 40598cef8076..9694c145e112 100644
--- a/sys/netpfil/ipfw/ip_fw_dynamic.c
+++ b/sys/netpfil/ipfw/ip_fw_dynamic.c
@@ -1323,6 +1323,33 @@ dyn_lookup_ipv6_parent_locked(const struct ipfw_flow_id *pkt, uint32_t zoneid,
 
 #endif /* INET6 */
 
+static int
+dyn_handle_orphaned(struct ip_fw *old_rule, struct dyn_data *data)
+{
+	struct ip_fw *rule;
+	const ipfw_insn *cmd, *old_cmd;
+
+	old_cmd = ACTION_PTR(old_rule);
+	switch (old_cmd->opcode) {
+	case O_SETMARK:
+	case O_SKIPTO:
+		/*
+		 * Rule pointer was changed. For O_SKIPTO action it can be
+		 * dangerous to keep use old rule. If new rule has the same
+		 * action and the same destination number, then use this dynamic
+		 * state. Otherwise it is better to create new one.
+		 */
+		rule = V_layer3_chain.map[data->f_pos];
+		cmd = ACTION_PTR(rule);
+		if (cmd->opcode != old_cmd->opcode ||
+		    cmd->len != old_cmd->len || cmd->arg1 != old_cmd->arg1 ||
+		    insntoc(cmd, u32)->d[0] != insntoc(old_cmd, u32)->d[0])
+			return (-1);
+		break;
+	}
+	return (0);
+}
+
 /*
  * Lookup dynamic state.
  *  pkt - filled by ipfw_chk() ipfw_flow_id;
@@ -1426,8 +1453,13 @@ ipfw_dyn_lookup_state(const struct ip_fw_args *args, const void *ulp,
 				 * changed to point to the penultimate rule.
 				 */
 				MPASS(V_layer3_chain.n_rules > 1);
-				data->chain_id = V_layer3_chain.id;
-				data->f_pos = V_layer3_chain.n_rules - 2;
+				if (dyn_handle_orphaned(rule, data) == 0) {
+					data->chain_id = V_layer3_chain.id;
+					data->f_pos = V_layer3_chain.n_rules - 2;
+				} else {
+					rule = NULL;
+					info->direction = MATCH_NONE;
+				}
 			} else {
 				rule = NULL;
 				info->direction = MATCH_NONE;