From nobody Mon May 25 07:06:36 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gP6PZ27vfz6dmB3
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Mon, 25 May 2026 07:06:42 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gP6PY6FpYz3cHP
	for <dev-commits-src-all@FreeBSD.org>; Mon, 25 May 2026 07:06:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1779692801;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zQbW0aU4DJnmxtiJSOq8hwZBGROjjv8zXAYEsPzU5xg=;
	b=SPuRnPM6iLgPEnOpy1dYk4iH+uvDieEkf23FO+fvc7VLVoR64RmoMqav26SHvXKvEGkBMZ
	+mcviHyiT+6nuDGO+63PT9mZE6N4s0+ZnX2qJd69ssKzl9RBu5+Hdvhyyy2QNH/LlFAlY9
	RhQCdcK25WCOgW6KSY8UjX1je36Ql9b8ssJmNt2Y7GQwDvOzh17RzB5Vm4/IpT507If7fF
	BM3JQPPhBodFU140lLXJzkHeXpo2iIJD69tyO+uXwWBQYJ+O6aTHirQTglE9cBDl/DpmHm
	/YUr0pm38gvhczgj+HfOgNypPiDh8tRwzMzjehG+nAxFO99ehQOUxYCLO3l/5w==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779692801; a=rsa-sha256; cv=none;
	b=OEffhRM70CrbbaOTCKYnQi18jdxYngzYXCrFwR4BzH4WRtcthLrIeCmwme5xLJKD1vZVB/
	YytNBbhK3reqsA9tmLxK4koyZJlLLqJMbAO8SqtisWK23JWiHEQ18jrvHNHUXbd3nZ4VO9
	Pq6Cyzg20PzFlFnrkT+GVIKjbQI1AH1Zt8ILnVFQrzlibSFjuyiMihYsoKuUW+PfsF0rA/
	+jlkt4xWXPDI3Yg2j2p+QwTmoFl2EJb0yRs1SkXMh/Tcin0w/qN9Zc+RMdJAvENfHkNzeN
	y6pdV13n7BTDoFtKiaIU/AabnmpVgHx5DGgxl1sY9CE5h8D8f59bHo6Mr5WeHw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1779692801;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zQbW0aU4DJnmxtiJSOq8hwZBGROjjv8zXAYEsPzU5xg=;
	b=umrMMuYHovS3r8+eCgmJ9WIIvtj0YegSLV7jRhK9I0QqVL4LAhzmoRe0dHM+TvdZ3rIYsz
	Bbo+rD8jGAWlntMoNgSPNmMDRw7tp+0NsmDymG9D5q4ifrQn39rVgjlOkib+oqlkHdx/wM
	h9ovkUw+clXXqr8Csp1GJF+raOP8QpxiomkPoLZL9dpQCFQxsngS9iQTYaQpY0Sxf3Cgn6
	W/Qxpy+LkXUzPnlMbJ1ryrDupmnP6BPJInR5YPeADQl/usw8DpLZbIoI7zvrql0rZPHToy
	kbLf10nx+266GOfEygfGY048pcpuKsN9elfwU2FjHYLZbqdjnBn+gA8lZ6V9dQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gP6PY5XLNzWZD
	for <dev-commits-src-all@FreeBSD.org>; Mon, 25 May 2026 07:06:41 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3f236
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 25 May 2026 07:06:36 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Andrey V. Elsukov <ae@FreeBSD.org>
Subject: git: 7ba922959d7e - stable/14 - ipfw: treat ipv6 address with zero mask as 'any'
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: ae
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 7ba922959d7ed6e73fde54d0bd72ef0bcd8bc49a
Auto-Submitted: auto-generated
Date: Mon, 25 May 2026 07:06:36 +0000
Message-Id: <6a13f4fc.3f236.60d43e00@gitrepo.freebsd.org>

The branch stable/14 has been updated by ae:

URL: https://cgit.FreeBSD.org/src/commit/?id=7ba922959d7ed6e73fde54d0bd72ef0bcd8bc49a

commit 7ba922959d7ed6e73fde54d0bd72ef0bcd8bc49a
Author:     Andrey V. Elsukov <ae@FreeBSD.org>
AuthorDate: 2026-05-17 10:12:20 +0000
Commit:     Andrey V. Elsukov <ae@FreeBSD.org>
CommitDate: 2026-05-25 07:04:48 +0000

    ipfw: treat ipv6 address with zero mask as 'any'
    
    Make the behaviour similar for both IPv4 and IPv6. Also add
    the corresponding tests.
    
    PR:             294733
    Differential Revision:  https://reviews.freebsd.org/D56618
    
    (cherry picked from commit 2872268c7f6d473aae9b02ebb5d2c24fc2cff9b1)
---
 sbin/ipfw/ipfw2.c                          |  7 ++++---
 sbin/ipfw/ipv6.c                           | 11 +++++++----
 sbin/ipfw/tests/test_add_rule.py           | 24 ++++++++++++++++++++++++
 tests/atf_python/sys/netpfil/ipfw/insns.py |  2 ++
 4 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index eecf6a9c056f..56e5b0640135 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -3405,12 +3405,13 @@ fill_ip(ipfw_insn_ip *cmd, char *av, int cblen, struct tidx *tstate)
 		 * list unless it is the only item, in which case we
 		 * report an error.
 		 */
-		if (cmd->o.len & F_NOT) {	/* "not any" never matches */
-			if (av == NULL && len == 0) /* only this entry */
+		if (av == NULL && len == 0) {
+			if (cmd->o.len & F_NOT) /* "not any" never matches */
 				errx(EX_DATAERR, "not any never matches");
+			return;
 		}
 		/* else do nothing and skip this entry */
-		return;
+		continue;
 	}
 	/* A single IP can be stored in an optimized format */
 	if (d[1] == (uint32_t)~0 && av == NULL && len == 0) {
diff --git a/sbin/ipfw/ipv6.c b/sbin/ipfw/ipv6.c
index e6eb07af26dc..f34a08bb6f52 100644
--- a/sbin/ipfw/ipv6.c
+++ b/sbin/ipfw/ipv6.c
@@ -396,8 +396,6 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
 				n2mask(&d[1], masklen);
 		}
 
-		APPLY_MASK(d, &d[1]);   /* mask base address with mask */
-
 		av = q;
 
 		/* Check this entry */
@@ -408,11 +406,16 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av, int cblen, struct tidx *tstate)
 			 * list unless it is the only item, in which case we
 			 * report an error.
 			 */
-			if (cmd->o.len & F_NOT && av == NULL && len == 0)
-				errx(EX_DATAERR, "not any never matches");
+			if (av == NULL && len == 0) {
+				if (cmd->o.len & F_NOT)
+					errx(EX_DATAERR, "not any never matches");
+				return (1);
+			}
 			continue;
 		}
 
+		APPLY_MASK(d, &d[1]);   /* mask base address with mask */
+
 		/*
 		 * A single IP can be stored alone
 		 */
diff --git a/sbin/ipfw/tests/test_add_rule.py b/sbin/ipfw/tests/test_add_rule.py
index 60c8cebaceaa..213701b52eca 100755
--- a/sbin/ipfw/tests/test_add_rule.py
+++ b/sbin/ipfw/tests/test_add_rule.py
@@ -130,6 +130,30 @@ class TestAddRule(BaseTest):
                 },
                 id="test_rulenum",
             ),
+            pytest.param(
+                {
+                    "in": "add allow ip4 from 0.0.0.0/0 to 192.0.2.1/0",
+                    "out": {
+                        "insns": [
+                            InsnEmpty(IpFwOpcode.O_IP4),
+                            InsnEmpty(IpFwOpcode.O_ACCEPT),
+                        ],
+                    },
+                },
+                id="test_zero_addrmask4",
+            ),
+            pytest.param(
+                {
+                    "in": "add allow ip6 from ::/0 to 2001:DB8::/0",
+                    "out": {
+                        "insns": [
+                            InsnEmpty(IpFwOpcode.O_IP6),
+                            InsnEmpty(IpFwOpcode.O_ACCEPT),
+                        ],
+                    },
+                },
+                id="test_zero_addrmask6",
+            ),
             pytest.param(
                 {
                     "in": "add allow ip from { 1.2.3.4 or 2.3.4.5 } to any",
diff --git a/tests/atf_python/sys/netpfil/ipfw/insns.py b/tests/atf_python/sys/netpfil/ipfw/insns.py
index 12f145f49393..3ff7314004b5 100644
--- a/tests/atf_python/sys/netpfil/ipfw/insns.py
+++ b/tests/atf_python/sys/netpfil/ipfw/insns.py
@@ -535,6 +535,8 @@ insn_attrs = prepare_attrs_map(
 
 
         AttrDescr(IpFwOpcode.O_NOP, InsnComment),
+        AttrDescr(IpFwOpcode.O_IP4, InsnEmpty),
+        AttrDescr(IpFwOpcode.O_IP6, InsnEmpty),
         AttrDescr(IpFwOpcode.O_PROTO, InsnProto),
         AttrDescr(IpFwOpcode.O_PROB, InsnProb),
         AttrDescr(IpFwOpcode.O_IP_DST_ME, InsnEmpty),