From owner-freebsd-bugs@freebsd.org Tue Jun 25 05:37:59 2019 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B4EE415C0A14 for ; Tue, 25 Jun 2019 05:37:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 4CC237193F for ; Tue, 25 Jun 2019 05:37:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 06BCE15C0A13; Tue, 25 Jun 2019 05:37:59 +0000 (UTC) Delivered-To: bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D787C15C0A12 for ; Tue, 25 Jun 2019 05:37:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6E8C07193E for ; Tue, 25 Jun 2019 05:37:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 762D98E71 for ; Tue, 25 Jun 2019 05:37:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x5P5bvsf002955 for ; Tue, 25 Jun 2019 05:37:57 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x5P5bvVF002954 for bugs@FreeBSD.org; Tue, 25 Jun 2019 05:37:57 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238796] ipfilter: fix unremovable rules and rules checksum for comparison Date: Tue, 25 Jun 2019 05:37:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: msl0000023508@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Jun 2019 05:37:59 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238796 Bug ID: 238796 Summary: ipfilter: fix unremovable rules and rules checksum for comparison Product: Base System Version: 12.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: msl0000023508@gmail.com Created attachment 205322 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D205322&action= =3Dedit freebsd-ipfilter-rule-compare-fix.diff This patch fix 2 bugs. 1. Unremovable rules: A filter rule could becomes non-removable if it contains 'route-to' (displa= yed as 'to' in ipfstat(8) output), 'reply-to' or 'due-to' keyword to specify an interface name for routing. For example: [root@x ~]# ipfstat -Rion # empty list for ipfilter(out) @1 ... @2 ... @3 ... @4 pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto tcp from 10.12.4.0/24 port =3D 22 to any @5 pass in quick on vboxnet0 to tun0:10.1.202.11 inet from 10.0.5.52/32 to = any [root@x ~]# echo "pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto = tcp from 10.12.4.0/24 port =3D 22 to any" | ipf -r -f - 29:1:ioctl(delete rule): rule not found for removing [root@x ~]# echo "pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto = tcp from 10.12.4.0/24 port =3D 22 to any" | ipf -f - [root@x ~]# ipfstat -Rion # empty list for ipfilter(out) @1 ... @2 ... @3 ... @4 pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto tcp from 10.12.4.0/24 port =3D 22 to any @5 pass in quick on vboxnet0 to tun0:10.1.202.11 inet from 10.0.5.52/32 to = any @6 pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto tcp from 10.12.4.0/24 port =3D 22 to any As showing by the output, the rule @4 cannot be removed by using 'ipf -r'; trying to add the exactly same rule succeed, as rule @6; but duplicated rul= es are not allowed by the ipfilter design. Rule @5 has the same issue. The cause of this bug is when comparing 2 rules, the code failed to exclude some volatile variables such as pointers and index numbers to a volatile ar= ray. The pointers included in rules comparison are 'fd_ptr' in 'frdest_t', which= are turn be included as 'fr_tifs' and 'fr_dif' in 'struct frentry', the rule en= try structure. The index numbers are 'fr_ifnames' in 'struct frentry', and 'fd_name', 'fr_tifs', 'fr_dif'; all those numbers are indexing strings in a= rray 'fr_names' in 'struct frentry'; the actual strings should be compared inste= ad of the indexes, since the string sequence inside 'fr_ifnames' may differ ev= en between 2 same rules. Another variable should be excluded from comparison is 'fd_local' in 'frdest_t'. This variable is a hit for the code to determine whether an add= ress is at local; it shouldn't be compared, because this could be changed during runtime (an address was added to an interface after a rule was added). 2. Inefficient rule checksum There is a member 'fr_cksum' in 'struct frentry'; it was designed to speedup rules comparison; see https://svnweb.freebsd.org/base/stable/12/sys/contrib/ipfilter/netinet/fil.= c?revision=3D349223&view=3Dmarkup#l4922 This above code calculates first part of the checksum starting from member 'fr_func', ending at 'fr_chsum'. However in ipfilter revision '2580062 from= /to targets should be able to use any interface name; 2605045 destination lists aren't loaded; 2605049 destination lists need testing; 2637667 pool stats structures should not have pointers; 2644504 cannot list configured destina= tion lists; 2644536 destination lists need more selection policies' branch 'v5-1-RELEASE' on 2009-03-08 09:08:32, the member 'fr_chsum' was moved, sit= ting before 'fr_func', causing this calculation be skipped. --=20 You are receiving this mail because: You are the assignee for the bug.=