Date: Fri, 09 Feb 2024 20:28:06 +0000 From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 276732] IPFW keep-state rules with untag do not go through parent rule cmd Message-ID: <bug-276732-8303-w6hd23TGHz@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-276732-8303@https.bugs.freebsd.org/bugzilla/> References: <bug-276732-8303@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276732 John Baldwin <jhb@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open --- Comment #2 from John Baldwin <jhb@FreeBSD.org> --- (Hit Enter too soon, ignore previous comment) I agree with the diagnosis. I suspect though that the bug is a bit bigger = as currently we always skip over the first action opcode. The fact that 'matc= h' is set to 1 allows this to "work" if the first action is "accept" which is usually the action for keep-state rules. However, I suspect that if you ha= ve a 'log' action on a keep-state rule we don't actually log packets that match = an existing dynamic rule since we skip over the "log" opcode due to this bug. A bit more background: in this set of loops in the kernel, you can think of 'cmd' as being a program counter (PC) for an ISA and 'cmdlen' is the implic= it PC increment to perform after handling the current opcode. Since this acti= on is triggering the equivalent of a branch, it resets 'cmd' and 'l' as is don= e at the start of the inner for loop and sets 'cmdlen' to 0 to avoid turn the implicit PC increment at the end of the for loop into a nop. I think though that the patch should drop the 'match =3D 1' as that is now = just noise. Also, there is no need to keep the dead 'break' statement. I've cc= 'd ae@ to see if he has any thoughts, but if there's no other feedback in the = next week or so I'll commit the tweaked fix. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-276732-8303-w6hd23TGHz>