From nobody Fri Feb 09 20:28:06 2024 X-Original-To: ipfw@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TWlm62z41z5BHhV for ; Fri, 9 Feb 2024 20:28:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TWlm619Ytz41PV for ; Fri, 9 Feb 2024 20:28:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707510486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=28fb9SLT4AbUk9y8+Jso06ZPBVz0t4cidsmiXumrzQg=; b=FyMzUnQbBibiNqpG+w+jZmDISAxXIOj9slJuB/N8EZiPtT9uf4eQkvLHD3eOghyHzuWPYe JRVV9ZTIHwSQn6gldPD7zXEnQUhHW6Q7F4wwoBfjNgKuMed178gpu7X/LE13Wcy4fEeEfc 0LBxQ6giOrW+QeCT1yeeDShPb4kmRQjOTE0vhmBZRetDbQxy2TxouL6ZS5aE63MoLIu0ko Z7Mnunia1OVj1tZsYmJsF4cIpDPseFd/4TJNANuCoj2pHGS9Z8olPHJdM4l0eDnCgsiQiJ w73W0bE8Wym7HlTTQkF9HZoSW8dCBw1vJ48ApZk06Gwibs1GV1pAM4GnpdRGBw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707510486; a=rsa-sha256; cv=none; b=eYReCAWz7TF2DSa08dft7WtzZcXSUimiLmGjrcL2PkYte8dZmOBe8bpBJugS2mQZbhh8RD FxnrLVcP5vRHHPMH0kWB8/umEaEAbNSWbJbKb9S9fbgps5yDwKZXCVIag0LiFPjrSXSGXt YPThJp/u6qJl0Yya5qf4PWpvqwUCePMDMMpObyaDrgzPUlZCPyJWR7qmIS4fGk5gSuzuG4 nI/RWlWbSSF5Beq1u7oDy54pXp17XQRFHvtgY6eGznq/tRzErt6JdLmC3PbQR+qBL6fjOe 6xc9cBNdJouTAvCzJsFAnxNIKYFed1h84Zy0NYfDXMVi9Jte4EpQd9O4soadpw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TWlm60GMxznT8 for ; Fri, 9 Feb 2024 20:28:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 419KS5rY033326 for ; Fri, 9 Feb 2024 20:28:05 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 419KS57d033323 for ipfw@FreeBSD.org; Fri, 9 Feb 2024 20:28:05 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ipfw@FreeBSD.org Subject: [Bug 276732] IPFW keep-state rules with untag do not go through parent rule cmd Date: Fri, 09 Feb 2024 20:28:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jhb@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: ipfw@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_status Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: IPFW Technical Discussions List-Archive: https://lists.freebsd.org/archives/freebsd-ipfw List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-ipfw@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D276732 John Baldwin changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open --- Comment #2 from John Baldwin --- (Hit Enter too soon, ignore previous comment) I agree with the diagnosis. I suspect though that the bug is a bit bigger = as currently we always skip over the first action opcode. The fact that 'matc= h' is set to 1 allows this to "work" if the first action is "accept" which is usually the action for keep-state rules. However, I suspect that if you ha= ve a 'log' action on a keep-state rule we don't actually log packets that match = an existing dynamic rule since we skip over the "log" opcode due to this bug. A bit more background: in this set of loops in the kernel, you can think of 'cmd' as being a program counter (PC) for an ISA and 'cmdlen' is the implic= it PC increment to perform after handling the current opcode. Since this acti= on is triggering the equivalent of a branch, it resets 'cmd' and 'l' as is don= e at the start of the inner for loop and sets 'cmdlen' to 0 to avoid turn the implicit PC increment at the end of the for loop into a nop. I think though that the patch should drop the 'match =3D 1' as that is now = just noise. Also, there is no need to keep the dead 'break' statement. I've cc= 'd ae@ to see if he has any thoughts, but if there's no other feedback in the = next week or so I'll commit the tweaked fix. --=20 You are receiving this mail because: You are the assignee for the bug.=