Date: Mon, 13 Oct 2014 13:49:29 +0000 (UTC) From: "Alexander V. Chernikov" <melifaro@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r273035 - in head/sys: netinet netpfil/ipfw Message-ID: <201410131349.s9DDnTAp054111@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: melifaro Date: Mon Oct 13 13:49:28 2014 New Revision: 273035 URL: https://svnweb.freebsd.org/changeset/base/273035 Log: Fix matching default rule on clear/show commands. Found by: Oleg Ginzburg Modified: head/sys/netinet/ip_fw.h head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sys/netinet/ip_fw.h ============================================================================== --- head/sys/netinet/ip_fw.h Mon Oct 13 13:13:42 2014 (r273034) +++ head/sys/netinet/ip_fw.h Mon Oct 13 13:49:28 2014 (r273035) @@ -886,6 +886,11 @@ typedef struct _ipfw_range_tlv { #define IPFW_RCFLAG_RANGE 0x01 /* rule range is set */ #define IPFW_RCFLAG_ALL 0x02 /* match ALL rules */ #define IPFW_RCFLAG_SET 0x04 /* match rules in given set */ +/* User-settable flags */ +#define IPFW_RCFLAG_USER (IPFW_RCFLAG_RANGE | IPFW_RCFLAG_ALL | \ + IPFW_RCFLAG_SET) +/* Internally used flags */ +#define IPFW_RCFLAG_DEFAULT 0x0100 /* Do not skip defaul rule */ typedef struct _ipfw_ta_tinfo { uint32_t flags; /* Format flags */ Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Mon Oct 13 13:13:42 2014 (r273034) +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Mon Oct 13 13:49:28 2014 (r273035) @@ -833,8 +833,9 @@ int ipfw_match_range(struct ip_fw *rule, ipfw_range_tlv *rt) { - /* Don't match default rule regardless of query */ - if (rule->rulenum == IPFW_DEFAULT_RULE) + /* Don't match default rule for modification queries */ + if (rule->rulenum == IPFW_DEFAULT_RULE && + (rt->flags & IPFW_RCFLAG_DEFAULT) == 0) return (0); /* Don't match rules in reserved set for flush requests */ @@ -965,7 +966,7 @@ move_range(struct ip_fw_chain *chain, ip } /* XXX: We have to do swap holding WLOCK */ - for (i = 0; i < chain->n_rules - 1; i++) { + for (i = 0; i < chain->n_rules; i++) { rule = chain->map[i]; if (ipfw_match_range(rule, rt) == 0) continue; @@ -1006,9 +1007,10 @@ clear_range(struct ip_fw_chain *chain, i int i; num = 0; + rt->flags |= IPFW_RCFLAG_DEFAULT; IPFW_UH_WLOCK(chain); /* arbitrate writers */ - for (i = 0; i < chain->n_rules - 1; i++) { + for (i = 0; i < chain->n_rules; i++) { rule = chain->map[i]; if (ipfw_match_range(rule, rt) == 0) continue; @@ -1031,6 +1033,9 @@ check_range_tlv(ipfw_range_tlv *rt) if (rt->set >= IPFW_MAX_SETS || rt->new_set >= IPFW_MAX_SETS) return (1); + if ((rt->flags & IPFW_RCFLAG_USER) != rt->flags) + return (1); + return (0); } @@ -2012,7 +2017,7 @@ dump_config(struct ip_fw_chain *chain, i da.b = ipfw_find_rule(chain, rnum, 0); rnum = hdr->end_rule; rnum = (rnum < IPFW_DEFAULT_RULE) ? rnum+1 : IPFW_DEFAULT_RULE; - da.e = ipfw_find_rule(chain, rnum, 0); + da.e = ipfw_find_rule(chain, rnum, 0) + 1; } if (hdr->flags & IPFW_CFG_GET_STATIC) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410131349.s9DDnTAp054111>