From nobody Mon Apr  8 20:25:57 2024
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VD0wQ0RrZz5HhqS;
	Mon,  8 Apr 2024 20:25:58 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VD0wP4ptRz3yBG;
	Mon,  8 Apr 2024 20:25:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1712607957;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=vy6oSYsUnJ/tjpbcMrZVDm0QmX/KTvxyi4Vtm/kTkBg=;
	b=iV4wUPfo6zh7FkzN6TRhZgpA2d5hUrAGWLUqJbYtKVNTBCSiLvB9NZjZHJ+w8ZdxHm2Ur9
	FqJf7e+efCZnRjqJXQZlmBEUIl4g6nPhJlYNt4XpzX8qFdGdAAsa2RBgXgvcj6zLeVrRGr
	GtaPhvYhRM65Z63whoIIzVQHzrgxmh12LuOyorUIRPn+03SSS7myvGBYvKYigG538rsvfy
	qtczV/NnDpY0v17zfrsaP1LdBgmj+3zssUr3MZkIexjMslPSdZ1GDhBuI3GVFGf005QDj9
	nwzB51NWX5EzwovJnCtIGKrTxo9SOFngwZBJvAGHTk94m8kcF1h0rtIGqr0vBw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1712607957; a=rsa-sha256; cv=none;
	b=VUoYeQBeuZ990hWtC1cxX4j/f3PpEuRFP444iLds444ZdqfFT7lFIN9qpTkACi1xkhh7kw
	0m67Bnfw1oEXL8ZMngECFCiMOENUegGiqOkekwmEQdIHZyvqurusV6Lf8NtbNXT9t3zf8h
	jLJKZC2G/xBdvHMdXsccdnlIZAVlzLEJeBc2eGAhD1M0Qru/9h80imQ8Lqiq8X6MTb5UQy
	9UKKuiNEzPOzMYZKwX/d/VZ5HJVUfAu9s1RjNKd5otcjhTyADV0/PmmsR1ODlM7aihYEqS
	8PKAApP+FJ0p9r8i6r+YmuhN4xRUznBFDbwahHry/wdrf0xVE55OGYTHLfvzAQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1712607957;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=vy6oSYsUnJ/tjpbcMrZVDm0QmX/KTvxyi4Vtm/kTkBg=;
	b=QYKZgoXr4bcPAzRUZD5he4fmleHXyGXHzBCxzd5jTdC4Xn6e2i6RxfntfEnTytV1KLePNE
	T3OVDJeyfZ+p4kVmt/xCrOcug5uWuTUMFBJnNfksRhKjhpg5oZhYbHVkz1pzqZTBsRgDHA
	ilChexX97oczUFJ2NvVi2dx8oDJfSW9ERWo+07zZuiV/j6Y9XP//2rrnWPSslorM9pKz8D
	aM28uoSbHQjBwf1WYrNAwDGwYxI8WCsCGgc25DH+elAkqsGMJ7Dt0DEh0GQWcyarB6i7IP
	31PWPFmfyF+8f2tqNoEDP09XqD7BcgL1n7tD4zd7Zc7/nu8E1q3CKBdcuTvE3w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VD0wP4MhczPmB;
	Mon,  8 Apr 2024 20:25:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 438KPv6n040219;
	Mon, 8 Apr 2024 20:25:57 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 438KPvTl040216;
	Mon, 8 Apr 2024 20:25:57 GMT
	(envelope-from git)
Date: Mon, 8 Apr 2024 20:25:57 GMT
Message-Id: <202404082025.438KPvTl040216@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: John Baldwin <jhb@FreeBSD.org>
Subject: git: 3798c6487a21 - stable/13 - ipfw: Skip to the start
  of the loop when following a keep-state rule
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhb
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 3798c6487a21454020493517b613cda9a1753faf
Auto-Submitted: auto-generated

The branch stable/13 has been updated by jhb:

URL: https://cgit.FreeBSD.org/src/commit/?id=3798c6487a21454020493517b613cda9a1753faf

commit 3798c6487a21454020493517b613cda9a1753faf
Author:     Karim Fodil-Lemelin <kfl@xiplink.com>
AuthorDate: 2024-02-16 01:57:51 +0000
Commit:     John Baldwin <jhb@FreeBSD.org>
CommitDate: 2024-04-08 17:57:57 +0000

    ipfw: Skip to the start of the loop when following a keep-state rule
    
    When a packet matches an existing dynamic rule for a keep-state rule,
    the matching engine advances the "instruction pointer" to the action
    portion of the rule skipping over the match conditions.  However, the
    code was merely breaking out of the switch statement rather than doing
    a continue, so the remainder of the loop body after the switch was
    still executed.  If the first action opcode contains an F_NOT but not
    an F_OR (such as an "untag" action), then match is toggled to 0, and
    the code exits the inner loop via a break which aborts processing of
    the actions.
    
    To fix, just use a continue instead of a break.
    
    PR:             276732
    Reviewed by:    jhb, ae
    MFC after:      2 weeks
    
    (cherry picked from commit 62b1faa3b7495de22a3225e42dabe6ce8c371e86)
---
 sys/netpfil/ipfw/ip_fw2.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c
index 59faaba2f79b..5a96872f9c4f 100644
--- a/sys/netpfil/ipfw/ip_fw2.c
+++ b/sys/netpfil/ipfw/ip_fw2.c
@@ -2849,8 +2849,7 @@ do {								\
 					cmd = ACTION_PTR(f);
 					l = f->cmd_len - f->act_ofs;
 					cmdlen = 0;
-					match = 1;
-					break;
+					continue;
 				}
 				/*
 				 * Dynamic entry not found. If CHECK_STATE,