Date: Tue, 24 Mar 2026 06:03:58 +0000 From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: c6bcf6e6fd50 - main - pf: include all elements when hashing rules Message-ID: <69c2294e.3f5fd.464c6cae@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=c6bcf6e6fd507d952a48226b51cc161b8ef972a2 commit c6bcf6e6fd507d952a48226b51cc161b8ef972a2 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2026-03-19 07:21:51 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2026-03-24 04:27:21 +0000 pf: include all elements when hashing rules MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf_ioctl.c | 106 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 97 insertions(+), 9 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index fa331449fcf9..a2e12b3065d0 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1364,6 +1364,13 @@ pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr) PF_MD5_UPD(pfr, addr.v.a.addr.addr32); PF_MD5_UPD(pfr, addr.v.a.mask.addr32); break; + case PF_ADDR_NONE: + case PF_ADDR_NOROUTE: + case PF_ADDR_URPFFAILED: + /* These do not use any address data. */ + break; + default: + panic("Unknown address type %d", pfr->addr.type); } PF_MD5_UPD(pfr, port[0]); @@ -1372,6 +1379,30 @@ pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr) PF_MD5_UPD(pfr, port_op); } +static void +pf_hash_pool(MD5_CTX *ctx, struct pf_kpool *pool) +{ + uint16_t x; + int y; + + if (pool->cur) { + PF_MD5_UPD(pool, cur->addr); + PF_MD5_UPD_STR(pool, cur->ifname); + PF_MD5_UPD(pool, cur->af); + } + PF_MD5_UPD(pool, key); + PF_MD5_UPD(pool, counter); + + PF_MD5_UPD(pool, mape.offset); + PF_MD5_UPD(pool, mape.psidlen); + PF_MD5_UPD_HTONS(pool, mape.psid, x); + PF_MD5_UPD_HTONL(pool, tblidx, y); + PF_MD5_UPD_HTONS(pool, proxy_port[0], x); + PF_MD5_UPD_HTONS(pool, proxy_port[1], x); + PF_MD5_UPD(pool, opts); + PF_MD5_UPD(pool, ipv6_nexthop_af); +} + static void pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule) { @@ -1382,39 +1413,96 @@ pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule) pf_hash_rule_addr(ctx, &rule->dst); for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) PF_MD5_UPD_STR(rule, label[i]); + PF_MD5_UPD_HTONL(rule, ridentifier, y); PF_MD5_UPD_STR(rule, ifname); PF_MD5_UPD_STR(rule, rcv_ifname); + PF_MD5_UPD_STR(rule, qname); + PF_MD5_UPD_STR(rule, pqname); + PF_MD5_UPD_STR(rule, tagname); PF_MD5_UPD_STR(rule, match_tagname); - PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */ + + PF_MD5_UPD_STR(rule, overload_tblname); + + pf_hash_pool(ctx, &rule->nat); + pf_hash_pool(ctx, &rule->rdr); + pf_hash_pool(ctx, &rule->route); + PF_MD5_UPD_HTONL(rule, pktrate.limit, y); + PF_MD5_UPD_HTONL(rule, pktrate.seconds, y); + PF_MD5_UPD_HTONL(rule, os_fingerprint, y); + + PF_MD5_UPD_HTONL(rule, rtableid, y); + for (int i = 0; i < PFTM_MAX; i++) + PF_MD5_UPD_HTONL(rule, timeout[i], y); + PF_MD5_UPD_HTONL(rule, max_states, y); + PF_MD5_UPD_HTONL(rule, max_src_nodes, y); + PF_MD5_UPD_HTONL(rule, max_src_states, y); + PF_MD5_UPD_HTONL(rule, max_src_conn, y); + PF_MD5_UPD_HTONL(rule, max_src_conn_rate.limit, y); + PF_MD5_UPD_HTONL(rule, max_src_conn_rate.seconds, y); + PF_MD5_UPD_HTONS(rule, max_pkt_size, y); + PF_MD5_UPD_HTONS(rule, qid, x); + PF_MD5_UPD_HTONS(rule, pqid, x); + PF_MD5_UPD_HTONS(rule, dnpipe, x); + PF_MD5_UPD_HTONS(rule, dnrpipe, x); + PF_MD5_UPD_HTONL(rule, free_flags, y); PF_MD5_UPD_HTONL(rule, prob, y); + + PF_MD5_UPD_HTONS(rule, return_icmp, x); + PF_MD5_UPD_HTONS(rule, return_icmp6, x); + PF_MD5_UPD_HTONS(rule, max_mss, x); + PF_MD5_UPD_HTONS(rule, tag, x); /* dup? */ + PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */ + PF_MD5_UPD_HTONS(rule, scrub_flags, x); + + PF_MD5_UPD(rule, uid.op); PF_MD5_UPD_HTONL(rule, uid.uid[0], y); PF_MD5_UPD_HTONL(rule, uid.uid[1], y); - PF_MD5_UPD(rule, uid.op); + PF_MD5_UPD(rule, gid.op); PF_MD5_UPD_HTONL(rule, gid.gid[0], y); PF_MD5_UPD_HTONL(rule, gid.gid[1], y); - PF_MD5_UPD(rule, gid.op); + PF_MD5_UPD_HTONL(rule, rule_flag, y); + PF_MD5_UPD_HTONL(rule, rule_ref, y); PF_MD5_UPD(rule, action); PF_MD5_UPD(rule, direction); - PF_MD5_UPD(rule, af); + PF_MD5_UPD(rule, log); + PF_MD5_UPD(rule, logif); PF_MD5_UPD(rule, quick); PF_MD5_UPD(rule, ifnot); - PF_MD5_UPD(rule, rcvifnot); PF_MD5_UPD(rule, match_tag_not); PF_MD5_UPD(rule, natpass); + PF_MD5_UPD(rule, keep_state); + PF_MD5_UPD(rule, af); PF_MD5_UPD(rule, proto); - PF_MD5_UPD(rule, type); - PF_MD5_UPD(rule, code); + PF_MD5_UPD_HTONS(rule, type, x); + PF_MD5_UPD_HTONS(rule, code, x); PF_MD5_UPD(rule, flags); PF_MD5_UPD(rule, flagset); + PF_MD5_UPD(rule, min_ttl); PF_MD5_UPD(rule, allow_opts); PF_MD5_UPD(rule, rt); + PF_MD5_UPD(rule, return_ttl); PF_MD5_UPD(rule, tos); - PF_MD5_UPD(rule, scrub_flags); - PF_MD5_UPD(rule, min_ttl); PF_MD5_UPD(rule, set_tos); + PF_MD5_UPD(rule, anchor_relative); + PF_MD5_UPD(rule, anchor_wildcard); + + PF_MD5_UPD(rule, flush); + PF_MD5_UPD(rule, prio); + PF_MD5_UPD(rule, set_prio[0]); + PF_MD5_UPD(rule, set_prio[1]); + PF_MD5_UPD(rule, naf); + PF_MD5_UPD(rule, rcvifnot); + PF_MD5_UPD(rule, statelim.id); + PF_MD5_UPD_HTONL(rule, statelim.limiter_action, y); + PF_MD5_UPD(rule, sourcelim.id); + PF_MD5_UPD_HTONL(rule, sourcelim.limiter_action, y); + + PF_MD5_UPD(rule, divert.addr); + PF_MD5_UPD_HTONS(rule, divert.port, x); + if (rule->anchor != NULL) PF_MD5_UPD_STR(rule, anchor->path); }home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69c2294e.3f5fd.464c6cae>