From nobody Sun Aug  3 10:07:54 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bvwNp4mJ8z6397j;
	Sun, 03 Aug 2025 10:07:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bvwNp4Bh3z3tsf;
	Sun, 03 Aug 2025 10:07:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1754215674;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=QiH5aEmUtrFBZDA5tOUwEqNg2DSI5yKGgcS01omq5D8=;
	b=HD5J7JlBdMu0ZqHhOH9Yj0F42vmVyvMtM1oXmnBv46l+5quarBnhFBYGpuxW7TkdlpekDO
	u4IWftaEmO+oPBgp6R0QCy9y3yH5udg9cgOfM7fS7GYSkkHx7jkx3RhsDdLvbQFE8JB2P2
	kNoCsYMRogsp97t2MxsVbHeaEo6omcBUtnu/qEEfgrgGjfjv30Rrn68Uq4WhKiDNrfxWls
	E0lcEeqS0NrUuQCuy1Rc8QN84nHvynRIyXxeOGBV0dzJEGUkWY+RG8AOkzkDhA3BY7PqDz
	0USdWhL674FUpEdTuudt18BMOLbB/qzRSmzVV+PgHafv0oFEwLtOnJ+XvaL8cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1754215674;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=QiH5aEmUtrFBZDA5tOUwEqNg2DSI5yKGgcS01omq5D8=;
	b=jVborpznIaQVrquK/L0LCoy1963Ah7d4TuoncL3q2E19mMSoL60Ih6MASlR0YT6JhROTFP
	8J7CaNOMohWpVUoFvfBTl7duZRO6F0hc+4vz0pTLh8Er7zdZlYA1CW1LGUd6DJNglqX2mk
	mklQzsUh6Ggn0X48Fn8VXBeJzPdWq8RStVqqkvvhv3PcsnsvYcvKjjoPyvBaWQwRE58cJ4
	BD3lYCzfyctqiq3pIZ20RKlO2zj3z1YvFKxBVKrFm01pRewiS/sINya/FYj6pdKMQxymCX
	dv8pS70Gm0GB8GHDgkU/gv9pOu1g6LU9ufHBgmBqYUX71qhpbsEksSOxKhD7Fg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754215674; a=rsa-sha256; cv=none;
	b=NedGEfpjAPMSuQfIAmXdFedp7p2xLlvwWIGaRwCq9efpW7gMFhc59Lamn9mRPfx90Gf5uT
	TeWtQ2m8a3vGyAttI6gl9gSkuCInDe4VCmTtqSgJFXWEF+hsxWE8LXkqnAX5gPEr9fXR2l
	xyIsoghhoY/18J/Q7g0y4TFtrjXjo0W4iJKjoJHJ2Gq6Swj+vVbPF998uXyAfA0Y7pyUrp
	8Y/fM+6Jq5Y6Y2uMXYw+o3ej79Ga427GCxAmz7Y3Z4wE6xOEyclNifE4fQiAR1IZ5YXoo1
	/XXxpbQwJtvcCCD/TJi0kTqcv7S5J/EMWg4ZiNVvhu5L4Jd7Q7h/YeyqrVfJTw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bvwNp3HDmzyb8;
	Sun, 03 Aug 2025 10:07:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 573A7sD0096670;
	Sun, 3 Aug 2025 10:07:54 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 573A7s1L096667;
	Sun, 3 Aug 2025 10:07:54 GMT
	(envelope-from git)
Date: Sun, 3 Aug 2025 10:07:54 GMT
Message-Id: <202508031007.573A7s1L096667@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Subject: git: 877e70e6087f - main - ipfw: add protected rule for
  orphaned dynamic states
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ae
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 877e70e6087f9937e41da82f53bcbb4e04432428
Auto-Submitted: auto-generated

The branch main has been updated by ae:

URL: https://cgit.FreeBSD.org/src/commit/?id=877e70e6087f9937e41da82f53bcbb4e04432428

commit 877e70e6087f9937e41da82f53bcbb4e04432428
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2025-07-22 08:20:13 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2025-08-03 10:07:33 +0000

    ipfw: add protected rule for orphaned dynamic states
    
    When we have enabled V_dyn_keep_states, states that become ORPHANED
    will keep pointer to original rule. Then this rule pointer is used
    to apply rule action after ipfw_dyn_lookup_state().
    Some rule actions use IPFW_INC_RULE_COUNTER() directly to this rule
    pointer to increment rule counters, but other rule actions use
    chain->map[f_pos] instead. The last case leads to incrementing counters
    on the wrong rule, because ORPHANED states have not parent rule in
    chain->map[].
    To solve this we add protected rule, that will be matched only by
    packets that are handled by ORPHANED states. This is `count' rule
    that is prior to the default rule:
    
     65535 count ip from any to any not // orphaned dynamic states counter
    
    Obtained from:  Yandex LLC
    Sponsored by:   Yandex LLC
    Differential Revision: https://reviews.freebsd.org/D51460
---
 sys/netpfil/ipfw/ip_fw2.c        |  2 +-
 sys/netpfil/ipfw/ip_fw_dynamic.c | 39 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index c129c8c49921..3f810533b7fc 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -3680,6 +3680,7 @@ vnet_ipfw_init(const void *unused)
 
 	IPFW_LOCK_INIT(chain);
 
+	ipfw_dyn_init(chain);
 	/* fill and insert the default rule */
 	rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw));
 	rule->flags |= IPFW_RULE_NOOPT;
@@ -3689,7 +3690,6 @@ vnet_ipfw_init(const void *unused)
 	chain->default_rule = rule;
 	ipfw_add_protected_rule(chain, rule, 0);
 
-	ipfw_dyn_init(chain);
 	ipfw_eaction_init(chain, first);
 	ipfw_init_skipto_cache(chain);
 	ipfw_bpf_init(first);
diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c
index 9694c145e112..cfb686594c7c 100644
--- a/sys/netpfil/ipfw/ip_fw_dynamic.c
+++ b/sys/netpfil/ipfw/ip_fw_dynamic.c
@@ -3141,6 +3141,43 @@ ipfw_dump_states(struct ip_fw_chain *chain, struct sockopt_data *sd)
 #undef DYN_EXPORT_STATES
 }
 
+/*
+ * When we have enabled V_dyn_keep_states, states that become ORPHANED
+ * will keep pointer to original rule. Then this rule pointer is used
+ * to apply rule action after ipfw_dyn_lookup_state().
+ * Some rule actions use IPFW_INC_RULE_COUNTER() directly to this rule
+ * pointer, but other actions use chain->map[f_pos] instead. The last
+ * case leads to incrementing counters on the wrong rule, because
+ * ORPHANED states have not parent rule in chain->map[].
+ * To solve this we add protected rule:
+ *   count ip from any to any not // comment
+ * It will be matched only by packets that are handled by ORPHANED states.
+ */
+static void
+dyn_add_protected_rule(struct ip_fw_chain *chain)
+{
+	static const char *comment =
+	    "orphaned dynamic states counter";
+	struct ip_fw *rule;
+	ipfw_insn *cmd;
+	size_t l;
+
+	l = roundup(strlen(comment) + 1, sizeof(uint32_t));
+	rule = ipfw_alloc_rule(chain, sizeof(*rule) + sizeof(ipfw_insn) + l);
+	cmd = rule->cmd;
+	cmd->opcode = O_NOP;
+	cmd->len = 1 + l/sizeof(uint32_t);
+	cmd->len |= F_NOT; /* make rule to be not matched */
+	strcpy((char *)(cmd + 1), comment);
+	cmd += F_LEN(cmd);
+
+	cmd->len = 1;
+	cmd->opcode = O_COUNT;
+	rule->act_ofs = cmd - rule->cmd;
+	rule->cmd_len = rule->act_ofs + 1;
+	ipfw_add_protected_rule(chain, rule, 0);
+}
+
 void
 ipfw_dyn_init(struct ip_fw_chain *chain)
 {
@@ -3203,6 +3240,8 @@ ipfw_dyn_init(struct ip_fw_chain *chain)
 	callout_init(&V_dyn_timeout, 1);
 	callout_reset(&V_dyn_timeout, hz, dyn_tick, curvnet);
 	IPFW_ADD_OBJ_REWRITER(IS_DEFAULT_VNET(curvnet), dyn_opcodes);
+
+	dyn_add_protected_rule(chain);
 }
 
 void