From nobody Sun Aug 3 10:07:54 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bvwNp4mJ8z6397j; Sun, 03 Aug 2025 10:07:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bvwNp4Bh3z3tsf; Sun, 03 Aug 2025 10:07:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754215674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QiH5aEmUtrFBZDA5tOUwEqNg2DSI5yKGgcS01omq5D8=; b=HD5J7JlBdMu0ZqHhOH9Yj0F42vmVyvMtM1oXmnBv46l+5quarBnhFBYGpuxW7TkdlpekDO u4IWftaEmO+oPBgp6R0QCy9y3yH5udg9cgOfM7fS7GYSkkHx7jkx3RhsDdLvbQFE8JB2P2 kNoCsYMRogsp97t2MxsVbHeaEo6omcBUtnu/qEEfgrgGjfjv30Rrn68Uq4WhKiDNrfxWls E0lcEeqS0NrUuQCuy1Rc8QN84nHvynRIyXxeOGBV0dzJEGUkWY+RG8AOkzkDhA3BY7PqDz 0USdWhL674FUpEdTuudt18BMOLbB/qzRSmzVV+PgHafv0oFEwLtOnJ+XvaL8cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754215674; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QiH5aEmUtrFBZDA5tOUwEqNg2DSI5yKGgcS01omq5D8=; b=jVborpznIaQVrquK/L0LCoy1963Ah7d4TuoncL3q2E19mMSoL60Ih6MASlR0YT6JhROTFP 8J7CaNOMohWpVUoFvfBTl7duZRO6F0hc+4vz0pTLh8Er7zdZlYA1CW1LGUd6DJNglqX2mk mklQzsUh6Ggn0X48Fn8VXBeJzPdWq8RStVqqkvvhv3PcsnsvYcvKjjoPyvBaWQwRE58cJ4 BD3lYCzfyctqiq3pIZ20RKlO2zj3z1YvFKxBVKrFm01pRewiS/sINya/FYj6pdKMQxymCX dv8pS70Gm0GB8GHDgkU/gv9pOu1g6LU9ufHBgmBqYUX71qhpbsEksSOxKhD7Fg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754215674; a=rsa-sha256; cv=none; b=NedGEfpjAPMSuQfIAmXdFedp7p2xLlvwWIGaRwCq9efpW7gMFhc59Lamn9mRPfx90Gf5uT TeWtQ2m8a3vGyAttI6gl9gSkuCInDe4VCmTtqSgJFXWEF+hsxWE8LXkqnAX5gPEr9fXR2l xyIsoghhoY/18J/Q7g0y4TFtrjXjo0W4iJKjoJHJ2Gq6Swj+vVbPF998uXyAfA0Y7pyUrp 8Y/fM+6Jq5Y6Y2uMXYw+o3ej79Ga427GCxAmz7Y3Z4wE6xOEyclNifE4fQiAR1IZ5YXoo1 /XXxpbQwJtvcCCD/TJi0kTqcv7S5J/EMWg4ZiNVvhu5L4Jd7Q7h/YeyqrVfJTw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bvwNp3HDmzyb8; Sun, 03 Aug 2025 10:07:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 573A7sD0096670; Sun, 3 Aug 2025 10:07:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 573A7s1L096667; Sun, 3 Aug 2025 10:07:54 GMT (envelope-from git) Date: Sun, 3 Aug 2025 10:07:54 GMT Message-Id: <202508031007.573A7s1L096667@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: "Andrey V. Elsukov" Subject: git: 877e70e6087f - main - ipfw: add protected rule for orphaned dynamic states List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ae X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 877e70e6087f9937e41da82f53bcbb4e04432428 Auto-Submitted: auto-generated The branch main has been updated by ae: URL: https://cgit.FreeBSD.org/src/commit/?id=877e70e6087f9937e41da82f53bcbb4e04432428 commit 877e70e6087f9937e41da82f53bcbb4e04432428 Author: Andrey V. Elsukov AuthorDate: 2025-07-22 08:20:13 +0000 Commit: Andrey V. Elsukov CommitDate: 2025-08-03 10:07:33 +0000 ipfw: add protected rule for orphaned dynamic states When we have enabled V_dyn_keep_states, states that become ORPHANED will keep pointer to original rule. Then this rule pointer is used to apply rule action after ipfw_dyn_lookup_state(). Some rule actions use IPFW_INC_RULE_COUNTER() directly to this rule pointer to increment rule counters, but other rule actions use chain->map[f_pos] instead. The last case leads to incrementing counters on the wrong rule, because ORPHANED states have not parent rule in chain->map[]. To solve this we add protected rule, that will be matched only by packets that are handled by ORPHANED states. This is `count' rule that is prior to the default rule: 65535 count ip from any to any not // orphaned dynamic states counter Obtained from: Yandex LLC Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D51460 --- sys/netpfil/ipfw/ip_fw2.c | 2 +- sys/netpfil/ipfw/ip_fw_dynamic.c | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index c129c8c49921..3f810533b7fc 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -3680,6 +3680,7 @@ vnet_ipfw_init(const void *unused) IPFW_LOCK_INIT(chain); + ipfw_dyn_init(chain); /* fill and insert the default rule */ rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw)); rule->flags |= IPFW_RULE_NOOPT; @@ -3689,7 +3690,6 @@ vnet_ipfw_init(const void *unused) chain->default_rule = rule; ipfw_add_protected_rule(chain, rule, 0); - ipfw_dyn_init(chain); ipfw_eaction_init(chain, first); ipfw_init_skipto_cache(chain); ipfw_bpf_init(first); diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c index 9694c145e112..cfb686594c7c 100644 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c @@ -3141,6 +3141,43 @@ ipfw_dump_states(struct ip_fw_chain *chain, struct sockopt_data *sd) #undef DYN_EXPORT_STATES } +/* + * When we have enabled V_dyn_keep_states, states that become ORPHANED + * will keep pointer to original rule. Then this rule pointer is used + * to apply rule action after ipfw_dyn_lookup_state(). + * Some rule actions use IPFW_INC_RULE_COUNTER() directly to this rule + * pointer, but other actions use chain->map[f_pos] instead. The last + * case leads to incrementing counters on the wrong rule, because + * ORPHANED states have not parent rule in chain->map[]. + * To solve this we add protected rule: + * count ip from any to any not // comment + * It will be matched only by packets that are handled by ORPHANED states. + */ +static void +dyn_add_protected_rule(struct ip_fw_chain *chain) +{ + static const char *comment = + "orphaned dynamic states counter"; + struct ip_fw *rule; + ipfw_insn *cmd; + size_t l; + + l = roundup(strlen(comment) + 1, sizeof(uint32_t)); + rule = ipfw_alloc_rule(chain, sizeof(*rule) + sizeof(ipfw_insn) + l); + cmd = rule->cmd; + cmd->opcode = O_NOP; + cmd->len = 1 + l/sizeof(uint32_t); + cmd->len |= F_NOT; /* make rule to be not matched */ + strcpy((char *)(cmd + 1), comment); + cmd += F_LEN(cmd); + + cmd->len = 1; + cmd->opcode = O_COUNT; + rule->act_ofs = cmd - rule->cmd; + rule->cmd_len = rule->act_ofs + 1; + ipfw_add_protected_rule(chain, rule, 0); +} + void ipfw_dyn_init(struct ip_fw_chain *chain) { @@ -3203,6 +3240,8 @@ ipfw_dyn_init(struct ip_fw_chain *chain) callout_init(&V_dyn_timeout, 1); callout_reset(&V_dyn_timeout, hz, dyn_tick, curvnet); IPFW_ADD_OBJ_REWRITER(IS_DEFAULT_VNET(curvnet), dyn_opcodes); + + dyn_add_protected_rule(chain); } void