From nobody Wed Feb 12 09:38:46 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YtCtb47Vxz5mTF7; Wed, 12 Feb 2025 09:38:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YtCtb0W7Hz3TfF; Wed, 12 Feb 2025 09:38:47 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739353127; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+93tenYkBnGNi85XxinJfjDjQ54VG2fnI3jDUxxJi5s=; b=ORwBcMgglEJicHvBSLlmcZDATlAKzc+a5t87RjSgjWdQ+X6I0a+JCY37H73SO/XK3qdaEt sSRlRs3cRRwpgdRg5HE2Zp/SyZFW9D8L7oSp+8cPBPEFCemnWxPQiBkfIB+mODxY+HOeuX 5Tt8gdDVhW2d2adt89SuFXGIjCfrBq+8bOVMjiCfKVfeJzoFGJtngV8nBVSRino5cYLB// dFTi/Hi5WbNTuXoEZnsCAfZ/TLEYVXiWxqa5IBGfcWuuoc0Xbw1OWdGIzV73weRGiYxYSy ACex/ScI1UTmh5rUx6TXrvCYrSihy9JQNnm2EvNCx45td1sDp80Pekf7jZj5tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1739353127; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=+93tenYkBnGNi85XxinJfjDjQ54VG2fnI3jDUxxJi5s=; b=vFpwCzmq32sYxJYkVFT+0j1JLREGILrLfhrjDi9y3Z3eP8oIky2W11KZQ3ZqDpviXfAGni 9rq1NQGhvcDQzAEpb9gun9ql+72NhkCvBSwY06Kp2jpk28GAHAGQ/UjFfGUQ6WP9wDIMZh IvHDrARW6uZ3Jf+Zs4PH0uabHtVkLekdzoQpTD+zBSYV0+ws/ceEliKb87KeJBhiBgGjQ5 fyQ7i3Qbu7MJI+lh563j4iAggiK/4cBM9k9i0Ev3ai/onnWO9aQJgllbAvZytHidGoVpAr XsKe4tjyQJ308Kfa3MwjCz5g3Uw9pd3vadXzq+GXd7sgGDVtUNYckrwCkFpZUg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1739353127; a=rsa-sha256; cv=none; b=ggFIyOzIHOrswr0QEsHQgULF0lUdtttr/d8sc5b4gHCsKHau39pQGKIxEzALsbCFK7NJdc ER5MdB78MALOEPIFN502dj1PhWe3G+HH7Rvx/f3rdo/WL8Zlwx2KeRCYHdH01JD0I6VmNZ HFbcVqxO7286wl2c2vRXxEk3L95a7L3JfNoDLGSnBLWXI/XyoAez5/8okTGs/vAkJc3nmq BgDSlRxnJ5AyaamRfNVDs1VbdNPMLv8LJjoL1+DWMufxsC2yLzEZGYj7YrBmPvtrZf8nvO 84rNNGZLOYNetq6i7qG3i0InL33p2KFnWtzQHIsCSJ1/tRY6MFQCXahMyP3ccQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YtCtZ589gztmd; Wed, 12 Feb 2025 09:38:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 51C9ckeh037471; Wed, 12 Feb 2025 09:38:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 51C9ck8Q037468; Wed, 12 Feb 2025 09:38:46 GMT (envelope-from git) Date: Wed, 12 Feb 2025 09:38:46 GMT Message-Id: <202502120938.51C9ck8Q037468@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 30ab6e823c59 - main - pf: fix anchor quick with nested anchors List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 30ab6e823c5914a0ecc296d766b8a92222724d09 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=30ab6e823c5914a0ecc296d766b8a92222724d09 commit 30ab6e823c5914a0ecc296d766b8a92222724d09 Author: Kristof Provost AuthorDate: 2025-02-05 15:41:41 +0000 Commit: Kristof Provost CommitDate: 2025-02-12 08:29:09 +0000 pf: fix anchor quick with nested anchors We lost the quick flag as soon as we stepped into a child anchor. Simplify the logic, get rid of the match flag in the anchor stack, just use the match variable we already had (and used in a boolean style) to track the nest level we had a match at. When a child anchor had a match we also have a match in the current anchor, so update the match level accordingly, and thus correctly honour the quick flag. Reported by, along with the right idea on how to fix this, by Sean Gallagher \sean at teletech.com.au/, who also helped testing the fix. ok ryan & benno Obtained from: OpenBSD, henning , 32a028bff7 Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/pfvar.h | 2 +- sys/netpfil/pf/pf.c | 30 ++++++++---------------------- sys/netpfil/pf/pf_lb.c | 2 +- 3 files changed, 10 insertions(+), 24 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 5ef7957f4fa0..65be1a0ce19b 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -2646,7 +2646,7 @@ void pf_print_host(struct pf_addr *, u_int16_t, sa_family_t); void pf_step_into_anchor(struct pf_kanchor_stackframe *, int *, struct pf_kruleset **, int, struct pf_krule **, - struct pf_krule **, int *); + struct pf_krule **); int pf_step_out_of_anchor(struct pf_kanchor_stackframe *, int *, struct pf_kruleset **, int, struct pf_krule **, struct pf_krule **, int *); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 9963dc728302..79e50be6cd13 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -4569,15 +4569,12 @@ struct pf_kanchor_stackframe { void pf_step_into_anchor(struct pf_kanchor_stackframe *stack, int *depth, - struct pf_kruleset **rs, int n, struct pf_krule **r, struct pf_krule **a, - int *match) + struct pf_kruleset **rs, int n, struct pf_krule **r, struct pf_krule **a) { struct pf_kanchor_stackframe *f; PF_RULES_RASSERT(); - if (match) - *match = 0; if (*depth >= PF_ANCHOR_STACKSIZE) { printf("%s: anchor stack overflow on %s\n", __func__, (*r)->anchor->name); @@ -4620,19 +4617,6 @@ pf_step_out_of_anchor(struct pf_kanchor_stackframe *stack, int *depth, f = stack + *depth - 1; fr = PF_ANCHOR_RULE(f); if (f->child != NULL) { - /* - * This block traverses through - * a wildcard anchor. - */ - if (match != NULL && *match) { - /* - * If any of "*" matched, then - * "foo/ *" matched, mark frame - * appropriately. - */ - PF_ANCHOR_SET_MATCH(f); - *match = 0; - } f->child = RB_NEXT(pf_kanchor_node, &fr->anchor->children, f->child); if (f->child != NULL) { @@ -4648,8 +4632,11 @@ pf_step_out_of_anchor(struct pf_kanchor_stackframe *stack, int *depth, if (*depth == 0 && a != NULL) *a = NULL; *rs = f->rs; - if (PF_ANCHOR_MATCH(f) || (match != NULL && *match)) - quick = fr->quick; + if (match != NULL && *match > *depth) { + *match = *depth; + if (f->r->quick) + quick = 1; + } *r = TAILQ_NEXT(fr, entries); } while (*r == NULL); @@ -5831,7 +5818,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, PFLOG_PACKET(r->action, PFRES_MATCH, r, a, ruleset, pd, 1); } else { - match = 1; + match = asd; *rm = r; *am = a; *rsm = ruleset; @@ -5844,8 +5831,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, r = TAILQ_NEXT(r, entries); } else pf_step_into_anchor(anchor_stack, &asd, - &ruleset, PF_RULESET_FILTER, &r, &a, - &match); + &ruleset, PF_RULESET_FILTER, &r, &a); nextrule: if (r == NULL && pf_step_out_of_anchor(anchor_stack, &asd, &ruleset, PF_RULESET_FILTER, &r, &a, &match)) diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 6251ddee7d19..23c7ad1c0a66 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -211,7 +211,7 @@ pf_match_translation(struct pf_pdesc *pd, break; } else pf_step_into_anchor(anchor_stack, &asd, - &ruleset, rs_num, &r, NULL, NULL); + &ruleset, rs_num, &r, NULL); } if (r == NULL) pf_step_out_of_anchor(anchor_stack, &asd, &ruleset,