From owner-svn-src-all@FreeBSD.ORG Mon Oct 13 13:49:29 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AEE11AAF; Mon, 13 Oct 2014 13:49:29 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8FBD76BB; Mon, 13 Oct 2014 13:49:29 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9DDnTwA054113; Mon, 13 Oct 2014 13:49:29 GMT (envelope-from melifaro@FreeBSD.org) Received: (from melifaro@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9DDnTAp054111; Mon, 13 Oct 2014 13:49:29 GMT (envelope-from melifaro@FreeBSD.org) Message-Id: <201410131349.s9DDnTAp054111@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: melifaro set sender to melifaro@FreeBSD.org using -f From: "Alexander V. Chernikov" Date: Mon, 13 Oct 2014 13:49:29 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r273035 - in head/sys: netinet netpfil/ipfw X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Oct 2014 13:49:29 -0000 Author: melifaro Date: Mon Oct 13 13:49:28 2014 New Revision: 273035 URL: https://svnweb.freebsd.org/changeset/base/273035 Log: Fix matching default rule on clear/show commands. Found by: Oleg Ginzburg Modified: head/sys/netinet/ip_fw.h head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sys/netinet/ip_fw.h ============================================================================== --- head/sys/netinet/ip_fw.h Mon Oct 13 13:13:42 2014 (r273034) +++ head/sys/netinet/ip_fw.h Mon Oct 13 13:49:28 2014 (r273035) @@ -886,6 +886,11 @@ typedef struct _ipfw_range_tlv { #define IPFW_RCFLAG_RANGE 0x01 /* rule range is set */ #define IPFW_RCFLAG_ALL 0x02 /* match ALL rules */ #define IPFW_RCFLAG_SET 0x04 /* match rules in given set */ +/* User-settable flags */ +#define IPFW_RCFLAG_USER (IPFW_RCFLAG_RANGE | IPFW_RCFLAG_ALL | \ + IPFW_RCFLAG_SET) +/* Internally used flags */ +#define IPFW_RCFLAG_DEFAULT 0x0100 /* Do not skip defaul rule */ typedef struct _ipfw_ta_tinfo { uint32_t flags; /* Format flags */ Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c ============================================================================== --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Mon Oct 13 13:13:42 2014 (r273034) +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Mon Oct 13 13:49:28 2014 (r273035) @@ -833,8 +833,9 @@ int ipfw_match_range(struct ip_fw *rule, ipfw_range_tlv *rt) { - /* Don't match default rule regardless of query */ - if (rule->rulenum == IPFW_DEFAULT_RULE) + /* Don't match default rule for modification queries */ + if (rule->rulenum == IPFW_DEFAULT_RULE && + (rt->flags & IPFW_RCFLAG_DEFAULT) == 0) return (0); /* Don't match rules in reserved set for flush requests */ @@ -965,7 +966,7 @@ move_range(struct ip_fw_chain *chain, ip } /* XXX: We have to do swap holding WLOCK */ - for (i = 0; i < chain->n_rules - 1; i++) { + for (i = 0; i < chain->n_rules; i++) { rule = chain->map[i]; if (ipfw_match_range(rule, rt) == 0) continue; @@ -1006,9 +1007,10 @@ clear_range(struct ip_fw_chain *chain, i int i; num = 0; + rt->flags |= IPFW_RCFLAG_DEFAULT; IPFW_UH_WLOCK(chain); /* arbitrate writers */ - for (i = 0; i < chain->n_rules - 1; i++) { + for (i = 0; i < chain->n_rules; i++) { rule = chain->map[i]; if (ipfw_match_range(rule, rt) == 0) continue; @@ -1031,6 +1033,9 @@ check_range_tlv(ipfw_range_tlv *rt) if (rt->set >= IPFW_MAX_SETS || rt->new_set >= IPFW_MAX_SETS) return (1); + if ((rt->flags & IPFW_RCFLAG_USER) != rt->flags) + return (1); + return (0); } @@ -2012,7 +2017,7 @@ dump_config(struct ip_fw_chain *chain, i da.b = ipfw_find_rule(chain, rnum, 0); rnum = hdr->end_rule; rnum = (rnum < IPFW_DEFAULT_RULE) ? rnum+1 : IPFW_DEFAULT_RULE; - da.e = ipfw_find_rule(chain, rnum, 0); + da.e = ipfw_find_rule(chain, rnum, 0) + 1; } if (hdr->flags & IPFW_CFG_GET_STATIC) {