From owner-svn-src-all@FreeBSD.ORG  Mon Oct 13 13:49:29 2014
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id AEE11AAF;
 Mon, 13 Oct 2014 13:49:29 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 8FBD76BB;
 Mon, 13 Oct 2014 13:49:29 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9DDnTwA054113;
 Mon, 13 Oct 2014 13:49:29 GMT (envelope-from melifaro@FreeBSD.org)
Received: (from melifaro@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9DDnTAp054111;
 Mon, 13 Oct 2014 13:49:29 GMT (envelope-from melifaro@FreeBSD.org)
Message-Id: <201410131349.s9DDnTAp054111@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: melifaro set sender to
 melifaro@FreeBSD.org using -f
From: "Alexander V. Chernikov" <melifaro@FreeBSD.org>
Date: Mon, 13 Oct 2014 13:49:29 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r273035 - in head/sys: netinet netpfil/ipfw
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2014 13:49:29 -0000

Author: melifaro
Date: Mon Oct 13 13:49:28 2014
New Revision: 273035
URL: https://svnweb.freebsd.org/changeset/base/273035

Log:
  Fix matching default rule on clear/show commands.
  
  Found by:	Oleg Ginzburg

Modified:
  head/sys/netinet/ip_fw.h
  head/sys/netpfil/ipfw/ip_fw_sockopt.c

Modified: head/sys/netinet/ip_fw.h
==============================================================================
--- head/sys/netinet/ip_fw.h	Mon Oct 13 13:13:42 2014	(r273034)
+++ head/sys/netinet/ip_fw.h	Mon Oct 13 13:49:28 2014	(r273035)
@@ -886,6 +886,11 @@ typedef struct _ipfw_range_tlv {
 #define	IPFW_RCFLAG_RANGE	0x01	/* rule range is set		*/
 #define	IPFW_RCFLAG_ALL		0x02	/* match ALL rules		*/
 #define	IPFW_RCFLAG_SET		0x04	/* match rules in given set	*/
+/* User-settable flags */
+#define	IPFW_RCFLAG_USER	(IPFW_RCFLAG_RANGE | IPFW_RCFLAG_ALL | \
+	IPFW_RCFLAG_SET)
+/* Internally used flags */
+#define	IPFW_RCFLAG_DEFAULT	0x0100	/* Do not skip defaul rule	*/
 
 typedef struct _ipfw_ta_tinfo {
 	uint32_t	flags;		/* Format flags			*/

Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c
==============================================================================
--- head/sys/netpfil/ipfw/ip_fw_sockopt.c	Mon Oct 13 13:13:42 2014	(r273034)
+++ head/sys/netpfil/ipfw/ip_fw_sockopt.c	Mon Oct 13 13:49:28 2014	(r273035)
@@ -833,8 +833,9 @@ int
 ipfw_match_range(struct ip_fw *rule, ipfw_range_tlv *rt)
 {
 
-	/* Don't match default rule regardless of query */
-	if (rule->rulenum == IPFW_DEFAULT_RULE)
+	/* Don't match default rule for modification queries */
+	if (rule->rulenum == IPFW_DEFAULT_RULE &&
+	    (rt->flags & IPFW_RCFLAG_DEFAULT) == 0)
 		return (0);
 
 	/* Don't match rules in reserved set for flush requests */
@@ -965,7 +966,7 @@ move_range(struct ip_fw_chain *chain, ip
 	}
 
 	/* XXX: We have to do swap holding WLOCK */
-	for (i = 0; i < chain->n_rules - 1; i++) {
+	for (i = 0; i < chain->n_rules; i++) {
 		rule = chain->map[i];
 		if (ipfw_match_range(rule, rt) == 0)
 			continue;
@@ -1006,9 +1007,10 @@ clear_range(struct ip_fw_chain *chain, i
 	int i;
 
 	num = 0;
+	rt->flags |= IPFW_RCFLAG_DEFAULT;
 
 	IPFW_UH_WLOCK(chain);	/* arbitrate writers */
-	for (i = 0; i < chain->n_rules - 1; i++) {
+	for (i = 0; i < chain->n_rules; i++) {
 		rule = chain->map[i];
 		if (ipfw_match_range(rule, rt) == 0)
 			continue;
@@ -1031,6 +1033,9 @@ check_range_tlv(ipfw_range_tlv *rt)
 	if (rt->set >= IPFW_MAX_SETS || rt->new_set >= IPFW_MAX_SETS)
 		return (1);
 
+	if ((rt->flags & IPFW_RCFLAG_USER) != rt->flags)
+		return (1);
+
 	return (0);
 }
 
@@ -2012,7 +2017,7 @@ dump_config(struct ip_fw_chain *chain, i
 		da.b = ipfw_find_rule(chain, rnum, 0);
 		rnum = hdr->end_rule;
 		rnum = (rnum < IPFW_DEFAULT_RULE) ? rnum+1 : IPFW_DEFAULT_RULE;
-		da.e = ipfw_find_rule(chain, rnum, 0);
+		da.e = ipfw_find_rule(chain, rnum, 0) + 1;
 	}
 
 	if (hdr->flags & IPFW_CFG_GET_STATIC) {