From nobody Sat May 09 13:30:37 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gCRgx54Fnz6bcWZ for ; Sat, 09 May 2026 13:30:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gCRgx2Dc0z3SwC for ; Sat, 09 May 2026 13:30:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1778333437; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ap1ZqMpsK/ubnOMGZViMbdVfMjDuwNkfZ/d4XxabZOk=; b=TUSoqc8yteKF/teyMT8eMx1hiTDN+IxF/jTSRCPxexUhC5684RdP1G0bk7NWG0l29y56SU 3Z60uprUpbioQPcm0hXeAgSv6/Rt0xRhjSt0xy7JDP2UU1MWtDxG88fz0QFXpL/VYpmYI4 taTcHfKO+Bg/+ic/ELdN/HB1/aAQXdqt6YNgl8josvPE95/ru84Arr9kLpeo64OFKhCasq cd28UzlTPYUqQU2iApB97F54h58DA6kMhRECXgnPG8SGInMcjN/Rft3Q4WiFvgwbw4BPXJ 64iCjlVgu8ToQNiS2nceqMGiP769S3lGoeDDHMvtfw9r5tf/E0fqZoM6eyEVMA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778333437; a=rsa-sha256; cv=none; b=CzZ/R/EhKLX5zsg1uJW2nfAuiXnD1qQSJ1EOl0PhzLcjO4XkIu49GIawgwJUcmQt4QwXfw FKXLKxNEYwQP4/qZYLgN4p/YjAFHJMfiC9GPYuPJcWRVg//8KXkPYDMLZikdCOPpK+r40z bJnCOhJn4wb8wWXZrUvZOP1wbUV98zMEOFlPvqZPbQKgrv79QWxIa85L1K7GgN85d3sbHj g7mZyMptVs+BsWvpDf1ZIy3znzLSAtMhNzr/2EI3LtHmwX/3fgA8zxSsweRf6OE6CDmXBr mnNxlR8nT83yNPmoJrC0jisBnjrIaV5Axrcj8v07769dNcqq/QKRysnIjuXuFA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1778333437; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ap1ZqMpsK/ubnOMGZViMbdVfMjDuwNkfZ/d4XxabZOk=; b=FLtWwkGEOUpMsp7naQoZDLxW+jcBuR6+9IOU+GdlwJ4CrWKO96NSjDiz/qlfiJ85vLC56l fRV4vme53luZnPXG1zyw5ZHo8/f4Cb+kiTJC1eaKfFiS5bsss++zWwtvU/7pL4qcpcso+R uO2VkOP+tAy3QztTS/4+8ClyxCMQ1+g1K1Z072RWIjwpATZRIkwisKLdYTMlaODkkMP9kD Fb9hP0oUQa7PJTbZYDOO1uLpCJMf6iSCsTeHFGdY+vrG/4sdd41Pom3ZTFj1V1QhijkHTB zdzCibI55zL8buntP4fxulVkuMertttQMaG2B+Id6PBFZDnT3MsQ+bh6fA7F4w== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gCRgx1H3Dz1135 for ; Sat, 09 May 2026 13:30:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 1c1ec by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Sat, 09 May 2026 13:30:37 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: fab9bfc92751 - stable/15 - pf: do not reject rules with colliding hashes List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: fab9bfc92751ac7c676a2f59e44c5ce5ff414e20 Auto-Submitted: auto-generated Date: Sat, 09 May 2026 13:30:37 +0000 Message-Id: <69ff36fd.1c1ec.156f0f88@gitrepo.freebsd.org> The branch stable/15 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=fab9bfc92751ac7c676a2f59e44c5ce5ff414e20 commit fab9bfc92751ac7c676a2f59e44c5ce5ff414e20 Author: Kristof Provost AuthorDate: 2026-04-29 15:04:44 +0000 Commit: Kristof Provost CommitDate: 2026-05-09 08:06:01 +0000 pf: do not reject rules with colliding hashes We insert rules in pf_krule_global solely for the benefit of the 'keepcounters' feature. Failing to insert (beause the rule hash collides, or an identical rule already exists) would be worse than restoring counts to the wrong rule (or failing to restore them at all). PR: 282863, 294860, 294859, 294858 MFC after: 3 days Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D56745 (cherry picked from commit a0e4c65f1814a7a677364dc29bb703f84323d175) --- sys/netpfil/pf/pf_ioctl.c | 24 ++++++++---------------- tests/sys/netpfil/pf/match.sh | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 16 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 0825a69b8f63..18abc4c09f9e 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2438,14 +2438,12 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, PF_RULES_WUNLOCK(); pf_hash_rule(rule); - if (RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule) != NULL) { - PF_RULES_WLOCK(); - TAILQ_REMOVE(ruleset->rules[rs_num].inactive.ptr, rule, entries); - ruleset->rules[rs_num].inactive.rcount--; - pf_free_rule(rule); - rule = NULL; - ERROUT(EEXIST); - } + /** + * Note: rule hashes may collide. Accept this, because the worst that can + * happen is that we get counter preservation wrong. + * Failing to insert here would be worse. + **/ + RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule); PF_CONFIG_UNLOCK(); return (0); @@ -4111,14 +4109,8 @@ DIOCGETRULENV_error: ruleset->rules[rs_num].active.rcount--; } else { pf_hash_rule(newrule); - if (RB_INSERT(pf_krule_global, - ruleset->rules[rs_num].active.tree, newrule) != NULL) { - pf_free_rule(newrule); - PF_RULES_WUNLOCK(); - PF_CONFIG_UNLOCK(); - error = EEXIST; - goto fail; - } + RB_INSERT(pf_krule_global, + ruleset->rules[rs_num].active.tree, newrule); if (oldrule == NULL) TAILQ_INSERT_TAIL( diff --git a/tests/sys/netpfil/pf/match.sh b/tests/sys/netpfil/pf/match.sh index 992e32d9f887..c732ec7c5c17 100644 --- a/tests/sys/netpfil/pf/match.sh +++ b/tests/sys/netpfil/pf/match.sh @@ -234,10 +234,46 @@ double_match_cleanup() pft_cleanup } +atf_test_case "duplicate_rules" "cleanup" +duplicate_rules_head() +{ + atf_set descr 'Test identical rules' + atf_set require.user root +} + +duplicate_rules_body() +{ + pft_init + + epair=$(vnet_mkepair) + vnet_mkjail alcatraz ${epair}b + + ifconfig ${epair}a 192.0.2.1/24 up + jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + + # Sanity check + atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz \ + "block" \ + "pass tagged FOO" \ + "match tag FOO" \ + "pass tagged FOO" + + atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2 +} + +duplicate_rules_cleanup() +{ + pft_cleanup +} + atf_init_test_cases() { atf_add_test_case "dummynet" atf_add_test_case "quick" atf_add_test_case "allow_opts" atf_add_test_case "double_match" + atf_add_test_case "duplicate_rules" }