From nobody Sat May 09 13:30:38 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gCRgz27VCz6bcl2
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Sat, 09 May 2026 13:30:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gCRgy6lC0z3TDd
	for <dev-commits-src-all@FreeBSD.org>; Sat, 09 May 2026 13:30:38 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1778333438;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=o/0ncNpmmH+jfn+OHMhUAIKBhdo9zknYfpjZUxyPW3s=;
	b=jgisfLyka7mL0rxqvarn2SkXtAphqG5EOwdKRU5d9bL414Y/mc4M10Y6wopcnUqsE2pD+9
	vTpW17DxYQjsRk9oBWURk4Qo+anjtMUDZJ3iOiTWZ6KKIFUwaXoM5n7xbRYLv8Jn5xGyFT
	1Laye2/SBf++VAl8H8qAaKyk8OnzurCO9NJXPpXojanEODKNKG+XhgWMaZzTaXypfDsbrI
	dtTBAUzEHL0AsAwBpG13OXAY/EagJ7DWjDft9a7mVEldeXN4d4Q8SwPknzkZf+SLuQdjEQ
	l9nvjw1vSZV6A73QIYTZvl3Osdj19uZwjHj9GRK+5LOAbml2yttpM6+sIAiWcg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1778333438; a=rsa-sha256; cv=none;
	b=jtxNaYtEiuzopKP8pI1ibyJ+6Qrq36H9EODMsWrjfhWnlJLR9qCAETbe/Vy4HsE64AR8lu
	+/Ws/xnvSKf5hKaqFo49PJf1vBcMN85A0qRZXtJ2FgYiIGXtyHTk2pBTS7MQNGzNr61BPL
	1ysMYqB6sfpje9+48xnvVUOTvIj13pKOaO2TIQIkXED6ieqYS5oucK1jQ7dIh6o56vOoZa
	gB9j6v/XhewsTSzGzK38BSs6YQOKAs1/JzcOjWLXdnRrPfGAjJU2pSaiuzgVhE1EO4xgwO
	R1sqanrx+MhHeIftwDZTcXF94IaRXKu9E0dTV+ySPCDNsjw1kr/YSE3/tKudzQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1778333438;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=o/0ncNpmmH+jfn+OHMhUAIKBhdo9zknYfpjZUxyPW3s=;
	b=y39xz4zh3ejz1MvWxyEcQ3434UxSzK6UFtouA5AKju+0yPi04tcmt/fIKH+btp3PN8eKko
	ApahzFVCIm1NPUXOlczNmKlXeZo+gF4nLNeSd15Kkh68kiWYA+pe2kSImHMBDXLIkg3nmP
	B6NBEWW1KRYrZmmxtopqdBPCAiizCY6ckxAMd6jRUkzzzFctrjelyS3Fbq8J+3UXczcQTV
	JECFuiBMlRneMwwOz6Ku20eUJjEmlqdBpgmO0CxaNQyFqTn6Al+mHPVc0cV7CCPZeL5xVQ
	nZJZ65Znq44IEYXJOqsijf6ufjV2bV6bSPpqvTCquCFezZ9ErQtJ6FynJVzSKg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gCRgy4YGcz117F
	for <dev-commits-src-all@FreeBSD.org>; Sat, 09 May 2026 13:30:38 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 1d240
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Sat, 09 May 2026 13:30:38 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 0cd655f71b46 - stable/14 - pf: do not reject rules with colliding hashes
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: 0cd655f71b46ada2c353c371e2a2f9f0dac29613
Auto-Submitted: auto-generated
Date: Sat, 09 May 2026 13:30:38 +0000
Message-Id: <69ff36fe.1d240.246b23a1@gitrepo.freebsd.org>

The branch stable/14 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=0cd655f71b46ada2c353c371e2a2f9f0dac29613

commit 0cd655f71b46ada2c353c371e2a2f9f0dac29613
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-04-29 15:04:44 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2026-05-09 13:29:04 +0000

    pf: do not reject rules with colliding hashes
    
    We insert rules in pf_krule_global solely for the benefit of the
    'keepcounters' feature. Failing to insert (beause the rule hash
    collides, or an identical rule already exists) would be worse than
    restoring counts to the wrong rule (or failing to restore them at all).
    
    PR:             282863, 294860, 294859, 294858
    MFC after:      3 days
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D56745
    
    (cherry picked from commit a0e4c65f1814a7a677364dc29bb703f84323d175)
---
 sys/netpfil/pf/pf_ioctl.c     | 24 ++++++++----------------
 tests/sys/netpfil/pf/match.sh | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index e824dfcff453..39d3536fe38e 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2376,14 +2376,12 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
 
 	PF_RULES_WUNLOCK();
 	pf_hash_rule(rule);
-	if (RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule) != NULL) {
-		PF_RULES_WLOCK();
-		TAILQ_REMOVE(ruleset->rules[rs_num].inactive.ptr, rule, entries);
-		ruleset->rules[rs_num].inactive.rcount--;
-		pf_free_rule(rule);
-		rule = NULL;
-		ERROUT(EEXIST);
-	}
+	/**
+	 * Note: rule hashes may collide. Accept this, because the worst that can
+	 * happen is that we get counter preservation wrong.
+	 * Failing to insert here would be worse.
+	 **/
+	RB_INSERT(pf_krule_global, ruleset->rules[rs_num].inactive.tree, rule);
 	PF_CONFIG_UNLOCK();
 
 	return (0);
@@ -3693,14 +3691,8 @@ DIOCGETRULENV_error:
 			ruleset->rules[rs_num].active.rcount--;
 		} else {
 			pf_hash_rule(newrule);
-			if (RB_INSERT(pf_krule_global,
-			    ruleset->rules[rs_num].active.tree, newrule) != NULL) {
-				pf_free_rule(newrule);
-				PF_RULES_WUNLOCK();
-				PF_CONFIG_UNLOCK();
-				error = EEXIST;
-				break;
-			}
+			RB_INSERT(pf_krule_global,
+			    ruleset->rules[rs_num].active.tree, newrule);
 
 			if (oldrule == NULL)
 				TAILQ_INSERT_TAIL(
diff --git a/tests/sys/netpfil/pf/match.sh b/tests/sys/netpfil/pf/match.sh
index bb088c5bf47c..5a1bfb4d51ea 100644
--- a/tests/sys/netpfil/pf/match.sh
+++ b/tests/sys/netpfil/pf/match.sh
@@ -67,7 +67,43 @@ dummynet_cleanup()
 	pft_cleanup
 }
 
+atf_test_case "duplicate_rules" "cleanup"
+duplicate_rules_head()
+{
+	atf_set descr 'Test identical rules'
+	atf_set require.user root
+}
+
+duplicate_rules_body()
+{
+	pft_init
+
+	epair=$(vnet_mkepair)
+	vnet_mkjail alcatraz ${epair}b
+
+	ifconfig ${epair}a 192.0.2.1/24 up
+	jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping -c 1 192.0.2.2
+
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+	  "block" \
+	  "pass tagged FOO" \
+	  "match tag FOO" \
+	  "pass tagged FOO"
+
+	atf_check -s exit:0 -o ignore ping -c 3 192.0.2.2
+}
+
+duplicate_rules_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "dummynet"
+	atf_add_test_case "duplicate_rules"
 }