From nobody Tue May 5 21:26:19 2026 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g9BQg6rCDz6cgK3 for ; Tue, 05 May 2026 21:26:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g9BQg6ChCz3x7S for ; Tue, 05 May 2026 21:26:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1778016379; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P23Hvc8YDEoe40wXTXD8/zSoeRZRHkMCdfJcI4WAB6Q=; b=aueZT+TsIM7EY3RYts23Cp4Bzeq1L469FPUtfpL6qPvLk3Zfq12WnAm5vW11eZ1VpeQVEa lBwwIz+v6Wt/GXyO0bGgub5mtxhmBOHBwXq78GBOesrl5/LhJY6j1gKr8WEjLxP9zD2iP+ o+ibGQFSyfHUJH6GSrCXQ50aw0yeCFdYpj9z8geJYXGuLZL1d+pP9QfVyrMKJ4gpyRP3en 4oDYmGT1mO5fBctN3782d9BWw+jBbCpOUPNymHd7ePtym60/r6VtI2mtJYzNChKiy9UGUd ZCExadCi4ruVwZc/DL1HZ0dd6qJVqghMjxgO5Phz2uQc38QBhdXd+5b7Iv/jPw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778016379; a=rsa-sha256; cv=none; b=vef6XQWeeL58ztyYFGmkBNhLL5y4N+JdLfPe0qRSfWJf/wlMGR9a6ixx3FDQ53JtiF3VW6 qohdLFiH1pSNpH/yhYI5jyIoI4V5z3jQXOoVOYU/442pY7mZOv52J4QwPCdkQZifLbSfLO jmYaim5j4VSPldsPx9M0wNlYlwJzjIV539pX1pA8Ogzcp0E2zXf/F+Ww7G6qyNHVIeGjfA rFw7zPvtOy2QHdgU7oqGQ28oIKLs+2HkcgxGUcyNQTucW2BP1lqNBK9BjijUWBTGFTMGxT drPOXJ3zoPAeArao+fuaoNvf5na4pZxySznIk5L8ktCsdRqAeOoyfUSwAKu8wA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1778016379; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=P23Hvc8YDEoe40wXTXD8/zSoeRZRHkMCdfJcI4WAB6Q=; b=J9wNA2RqO30dINr1hkFzfNNZ30mnjk/5c5x01SJz7HoE784nDUAR1DS0AOqXkspgzAJmHv 7u23aGWYQwOlXY2BJny0OTLEjhmW/MbftxhH3ROJxpDt+ZGW4usBNcD5ndhfViObJ01aKm fnwzWNc9l9IyPEpTUA5SxMnPj0t3pG0EoV4m4YUG5zLUaDSnW1CmZb6rfUnBcOcokSEcJI nIlppt+/Q8mFAsJjkanGRRveISMyGq4/LQ9onfl/R4mNwS13VuStyHT4klND9CawG+U+Rc mv8RRzJSJOrEtrLFoz43zyQ6FWROX3EINJW1u7ejpyt2oLK8O1fJPM3aI527ww== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4g9BQg5GVlz1NHV for ; Tue, 05 May 2026 21:26:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1c32c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 05 May 2026 21:26:19 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: a0e4c65f1814 - main - pf: do not reject rules with colliding hashes List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: a0e4c65f1814a7a677364dc29bb703f84323d175 Auto-Submitted: auto-generated Date: Tue, 05 May 2026 21:26:19 +0000 Message-Id: <69fa607b.1c32c.2f8ad50@gitrepo.freebsd.org> The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=a0e4c65f1814a7a677364dc29bb703f84323d175 commit a0e4c65f1814a7a677364dc29bb703f84323d175 Author: Kristof Provost AuthorDate: 2026-04-29 15:04:44 +0000 Commit: Kristof Provost CommitDate: 2026-05-05 20:20:42 +0000 pf: do not reject rules with colliding hashes We insert rules in pf_krule_global solely for the benefit of the 'keepcounters' feature. Failing to insert (beause the rule hash collides, or an identical rule already exists) would be worse than restoring counts to the wrong rule (or failing to restore them at all). PR: 282863, 294860, 294859, 294858 MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D56745 --- sys/netpfil/pf/pf_ioctl.c | 24 ++++++++---------------- tests/sys/netpfil/pf/match.sh | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 16 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index d3e60b137c1a..ab2140a60ce7 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -3226,14 +3226,12 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, PF_RULES_WUNLOCK(); pf_hash_rule(rule); - if (RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule) != NULL) { - PF_RULES_WLOCK(); - TAILQ_REMOVE(ruleset->rules[rs_num].inactive.ptr, rule, entries); - ruleset->rules[rs_num].inactive.rcount--; - pf_free_rule(rule); - rule = NULL; - ERROUT(EEXIST); - } + /** + * Note: rule hashes may collide. Accept this, because the worst that can + * happen is that we get counter preservation wrong. + * Failing to insert here would be worse. + **/ + RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule); PF_CONFIG_UNLOCK(); return (0); @@ -4895,14 +4893,8 @@ DIOCGETRULENV_error: ruleset->rules[rs_num].active.rcount--; } else { pf_hash_rule(newrule); - if (RB_INSERT(pf_krule_global, - ruleset->rules[rs_num].active.tree, newrule) != NULL) { - pf_free_rule(newrule); - PF_RULES_WUNLOCK(); - PF_CONFIG_UNLOCK(); - error = EEXIST; - goto fail; - } + RB_INSERT(pf_krule_global, + ruleset->rules[rs_num].active.tree, newrule); if (oldrule == NULL) TAILQ_INSERT_TAIL( diff --git a/tests/sys/netpfil/pf/match.sh b/tests/sys/netpfil/pf/match.sh index 992e32d9f887..c732ec7c5c17 100644 --- a/tests/sys/netpfil/pf/match.sh +++ b/tests/sys/netpfil/pf/match.sh @@ -234,10 +234,46 @@ double_match_cleanup() pft_cleanup } +atf_test_case "duplicate_rules" "cleanup" +duplicate_rules_head() +{ + atf_set descr 'Test identical rules' + atf_set require.user root +} + +duplicate_rules_body() +{ + pft_init + + epair=$(vnet_mkepair) + vnet_mkjail alcatraz ${epair}b + + ifconfig ${epair}a 192.0.2.1/24 up + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "block" \ + "pass tagged FOO" \ + "match tag FOO" \ + "pass tagged FOO" + + atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 +} + +duplicate_rules_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "dummynet" atf_add_test_case "quick" atf_add_test_case "allow_opts" atf_add_test_case "double_match" + atf_add_test_case "duplicate_rules" }