4104; a=rsa-sha256; cv=none;
	b=M/odutAwVPoo36CX1el5CFUYVi6E/C8gYaOPCXcvqC76GeANZvzIPrrD0OY1GlfQ0K9Xnf
	0WtpcpaPcJd5h5QJVZYH4IGSEL/Ai95pLF5BOyXhFCuK9FxkVKomBnFEaWh5loBm/p9IVt
	ru6XLZs1rojnetQ19ltXWtUTwHd+ZgezadKsfjtLQm8hYzB/Sq8W53EBNYtiBTkQQW5eDt
	0UQ6XdUwOUixrR/uVLahx9MSzfkyfuJ2J/EFMF1q34SRoOl7Jn10TxqcW9dg3rHVxrjJqC
	cNJ+MADz16PriHTBhqiazWEs0OA4XK7oycmytqw8pvnQbV4eEmRMYh4a6SIzFQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1777474104;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=3kjKKKvYR/yY9tBYPp5SmBQJm0MclfMbmhCbIUCc9ZU=;
	b=C8ZlCWl8CNp40A3eqLW07JHq7Wv+7DsWEPHpz7oBsx9BdFbICtdfCniKvGfIKFAEoPZ2H3
	n660WPnN7Ui9aOmczFUplNn9FwgYiLLYaXd5e5lQCETfkAqfXZZMOUn7wWtUFBddrmBKTw
	QhgdPC1jlrXfAgBfue3AEaTNZEXmkGEtTx8EEuwskgI4pl1yQYRBnEbHm/eQ303wG32law
	J/MTsT7xh+gLWXmCD0X+0wcOPrvoguhJoTYLSOivV+GX+wMdGMfYfIrcE0b2rHyWAYm/it
	cyqQ9vpoqx4eCCVF3hBm1qAXBFwec/6FE9An5+8L81YAD2SHdRjIWC2mY9FakQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g5KtJ1x0czkK4
	for <dev-commits-src-branches@FreeBSD.org>; Wed, 29 Apr 2026 14:48:24 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3ac66
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 29 Apr 2026 14:48:24 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Cc: Kristof Provost <kp@FreeBSD.org>
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: d91d13c12484 - releng/15.0 - pf: fix duplicate rule detection for automatic tables
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/15.0
X-Git-Reftype: branch
X-Git-Commit: d91d13c12484ebc007fdb26ebcf5950490f66d1e
Auto-Submitted: auto-generated
Date: Wed, 29 Apr 2026 14:48:24 +0000
Message-Id: <69f21a38.3ac66.17b79d0f@gitrepo.freebsd.org>

The branch releng/15.0 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=d91d13c12484ebc007fdb26ebcf5950490f66d1e

commit d91d13c12484ebc007fdb26ebcf5950490f66d1e
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-04-09 16:11:41 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-28 19:26:02 +0000

    pf: fix duplicate rule detection for automatic tables
    
    We should look at the table name for automatic tables as well. These
    are different tables, so the rules using them are (or can be) different
    as well.
    
    Approved by:    so
    Security:       FreeBSD-EN-26:08.pf
    Reported by:    Michael Sinatra <michael@burnttofu.net>
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit fb838352751767e756bd45cd2040fa464ed4de20)
    (cherry picked from commit fdcc60f52841708efda2582b2492b0a460496fcc)
---
 sys/netpfil/pf/pf_ioctl.c          |  4 +---
 tests/sys/netpfil/pf/pass_block.sh | 42 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 749c3a6d3dd7..e1778a92d234 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1345,9 +1345,7 @@ pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
 			PF_MD5_UPD(pfr, addr.iflags);
 			break;
 		case PF_ADDR_TABLE:
-			if (strncmp(pfr->addr.v.tblname, PF_OPTIMIZER_TABLE_PFX,
-			    strlen(PF_OPTIMIZER_TABLE_PFX)))
-				PF_MD5_UPD(pfr, addr.v.tblname);
+			PF_MD5_UPD(pfr, addr.v.tblname);
 			break;
 		case PF_ADDR_ADDRMASK:
 		case PF_ADDR_RANGE:
diff --git a/tests/sys/netpfil/pf/pass_block.sh b/tests/sys/netpfil/pf/pass_block.sh
index f6d973de7cf4..a5cd04f1db22 100644
--- a/tests/sys/netpfil/pf/pass_block.sh
+++ b/tests/sys/netpfil/pf/pass_block.sh
@@ -488,6 +488,47 @@ addr_range_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "auto_tables" "cleanup"
+auto_tables_head()
+{
+	atf_set descr 'Test rulesets with different automatic tables'
+	atf_set require.user root
+}
+
+auto_tables_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}b 192.0.2.2/24 up
+
+	vnet_mkjail alcatraz ${epair}a
+	jexec alcatraz ifconfig ${epair}a 192.0.2.1/24 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+	    "set ruleset-optimization basic" \
+	    "test_a = \"203.0.113.1 203.0.113.2 203.0.113.3 203.0.113.4
+	        203.0.113.5 203.0.113.6 203.0.113.7 203.0.113.8 203.0.113.9
+	        203.0.113.10\"" \
+	    "test_b = \"192.0.2.1 192.0.2.2 192.0.2.3 192.0.2.4 192.0.2.5
+	        192.0.2.6 192.0.2.7 192.0.2.8 192.0.2.9 192.0.2.10\"" \
+	    "block" \
+	    "pass inet from any to { \$test_a }" \
+	    "pass inet from 198.51.100.1 to 198.51.100.2 no state" \
+	    "pass inet from any to { \$test_b }"
+
+	atf_check -s exit:0 -o ignore ping -c 1 -t 1 192.0.2.1
+}
+
+auto_tables_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "enable_disable"
@@ -500,4 +541,5 @@ atf_init_test_cases()
 	atf_add_test_case "optimize_any"
 	atf_add_test_case "any_if"
 	atf_add_test_case "addr_range"
+	atf_add_test_case "auto_tables"
 }