From nobody Wed Dec 29 12:47:57 2021 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0CCF7190E832 for ; Wed, 29 Dec 2021 12:47:58 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JPB5T5VRzz3M5H for ; Wed, 29 Dec 2021 12:47:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9D21424EC1 for ; Wed, 29 Dec 2021 12:47:57 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BTClvRK072216 for ; Wed, 29 Dec 2021 12:47:57 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BTClvPH072215 for bugs@FreeBSD.org; Wed, 29 Dec 2021 12:47:57 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260796] ipfw: net.inet.ip.fw.dyn_keep_states=1 : packets silently vanish Date: Wed, 29 Dec 2021 12:47:57 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 12.3-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: pmc@citylink.dinoex.sub.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1640782077; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=dNc4lkGig1tfIwgfvv78Oxji8/drjC9oCtGw68qVyUA=; b=iNKe+DPnTjCbz98Y4nCHEmq05+Rhm/XZSoiqhmSrhJNtB7DI//Zw3LcM1lkLYNNiYPXCjn DtFs5mDhD0sICWXqXXQy53iPQK0dEDYYhjDU3OJpbq6BhnW/J9y9YPjV4VEx4rFHX+BsJj a5CdKNhf0o/yUz+jStG3Yh05DmCJBYSwmAQde6grxepXn62MI6+FkJI7+LaZN4zAlnzF/z i03cMBHdFOAQ7ZOGngPDCZEUR2VUDEUXLmOupj1o6YyKwv4MzB3omirb1xLj1JQB4TZB22 AcxClXqqZPdZcrx6pt8aQ3qZ1veWm9ZMXH3T2bKqAJK7haePozIg9FQ00MG9vQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1640782077; a=rsa-sha256; cv=none; b=VZuek/vGLlN0T4D5Jtm/hGmZxzq2LiFlZhBUKEmT4PvOTvAqzWD6BTzV97aYZFzAB+/HEQ 7wXETxKMdJZjXTvYhPXzRTGjHkOvdcHqKMuZWv+jtClwqBhEL8q3GazMmwrbcpUXGcbm2d unjOYMRNRZ0eBrqSKMPtNJy8FylHyVWzr8TXm9SBCzZj6rzvrIrkbSK0JJtY37eF1rDTVP /3C/VyfO51C8PgQPFusaccxS1gMmcbslDd6CYbw2GX3qKRbQKvOH7LDRc9NaP91ILZUdvL 1n4CCZtlysfU3EUr/pHpH5agTUEQMvQQiSID2MqgkBM9LX0ZKsK58Suwf+isjw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260796 Bug ID: 260796 Summary: ipfw: net.inet.ip.fw.dyn_keep_states=3D1 : packets silently vanish Product: Base System Version: 12.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: pmc@citylink.dinoex.sub.org net.inet.ip.fw.dyn_keep_states=3D1 will keep dynamic rules (for currently a= ctive connections) when the original stateful rule is deleted.=20 The resulting behaviour is obvious when the corresponding action is finite (e.g. allow, deny). But when the corresponding action is NOT finite (e.g. count, tag) and when net.inet.ip.fw.one_pass=3D0, then processing of further rules should contin= ue at the point after the original stateful rule (which does no longer exist). In this case the current implementation redirects the rule processing to the final default rule 65535 (which normally is an unconditional unlogged deny), and so the respective packet does silently vanish. While this may be the most safe assumption, it is practically useless. A properly crafted ruleset can be made able to continue proper processing at the respective original line-number even after it has been refactored and reloaded (e.g. nonfinite stateful rules always followed by a "return" rule)= . In that case it should be possible to have dyn_keep_states continue processing after the original line number. I successfully obtained that desired behaviour by just removing the respect= ive line from the code in sys/netpfil/ipfw/ip_fw_dynamic.c I might propose a second option dyn_keep_states=3D2 to obtain this behaviou= r. Or, alternatively, dyn_keep_states might contain the actual rule number where processing should continue. --=20 You are receiving this mail because: You are the assignee for the bug.=