From nobody Tue Jan 21 11:37:03 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YclYC4TNBz5kyDr; Tue, 21 Jan 2025 11:37:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YclYC3WLbz3cpj; Tue, 21 Jan 2025 11:37:03 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737459423; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j8kWY2Tte4611QMfjlzn70XtQgqLgw0rwJWSDouqRy8=; b=SvRbHFmINTg1w9QfZnkA63PrhMrrDOQTdW57IDrle/PZ6vJxbwPIfIFXwVjcEI7PWq6gZt B/KyFLac+MBvP5CwOwkg1trpZ1iJs6D86ifAjeNm4vdcc3IWxrgDcBSzYjVV9BKNxfIF24 8Nz2sGfVrQDRl/LmKdHETTyZy1InhZk034WMLBmZ4O3fnvQedVKRaPKqhr5xvZc4I2uXgI yOH4oLmRYNZFAYo9AnEHFBSXC4uQyBEFpkwEiBcAjbyLCxFJ0HUHmokMkvAcPPDeNi9stM LX1rNTPzIUivRCC9EoVvRYkAQ7nCdn3l87UH94adECPP1OlRkpPOsu6dRoPObw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737459423; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=j8kWY2Tte4611QMfjlzn70XtQgqLgw0rwJWSDouqRy8=; b=V7Hb/NBGKGRPoyXL6894fv8zHErKJtlA513VqY0wZdHHqyoff6tYuPpOHd6fYuYKxtCdGL wOlIRtIm/r1j6NPWG83FfrsO0tkpM+IE1aQhHVpg8RmIpju+qhtycZ/EfRLKyYZbc79bQ8 FYKO/qlq8oCcuBUIQVX/ktxbr+BEDTxg6rr/zUqG+WLDRbrrEQTVdCGI0uF7GGXO0jq3XZ oYwoyu25gsjyHf3zFynfuWFLGxkCbI4qjrtAnhBGhu3JfMa7R+inr+hHU76Zdg/SXgojNR O0Aetfa3ImiS7zFQg8VMRhJY1sjd1iqvVrDrk/iytBD/27sFTegUmZww4eNWqQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737459423; a=rsa-sha256; cv=none; b=nZUR0kW24sq4TzgPm10wxrV5vPp1YwW6lbw0r/kV/fBWX9XjhoQvYx5G6BbqGydF8103ns /PIQWVq2mFypqI8KvqajgTXbQIcH8mmoGFOqHe811UMqBtPV5wRkFA6zzVj+jkJZgNFHej 2155uMBMQsUt7kQkUtMVWEKqm4ePLrl4k5oWxOKEPw0iBLtAHSyq50FyHXD4YmNp9YCWZX Dj+ZWaqQB835PoiTbniblL29s387CzvXB4zfAFuex1RDJWxXb3ouIGpHEPaf9Vg/lpIRpL c5QzK28C4YtnrwV2l+pW2CiQSPcA4gSexUlZOzsqyvR2SR3LwEtHvJcPCgPUwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YclYC30Tsz14sN; Tue, 21 Jan 2025 11:37:03 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50LBb3Uw067012; Tue, 21 Jan 2025 11:37:03 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50LBb3Z5067009; Tue, 21 Jan 2025 11:37:03 GMT (envelope-from git) Date: Tue, 21 Jan 2025 11:37:03 GMT Message-Id: <202501211137.50LBb3Z5067009@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: "Andrey V. Elsukov" Subject: git: 7dc48056c87b - stable/14 - ipfw: use only needed TCP flags for state tracking List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: ae X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 7dc48056c87b2100f2841d48dbb45a46ffdae934 Auto-Submitted: auto-generated The branch stable/14 has been updated by ae: URL: https://cgit.FreeBSD.org/src/commit/?id=7dc48056c87b2100f2841d48dbb45a46ffdae934 commit 7dc48056c87b2100f2841d48dbb45a46ffdae934 Author: Andrey V. Elsukov AuthorDate: 2024-12-12 12:57:45 +0000 Commit: Andrey V. Elsukov CommitDate: 2025-01-21 11:35:40 +0000 ipfw: use only needed TCP flags for state tracking This fixes stateful firewall failures after adding TH_AE flag into TH_FLAGS. Reported by: ronald Fixes: 347dd05 (cherry picked from commit 9ea8d692f4cb552902b9e8394260d7f3cf4aefb0) --- sys/netpfil/ipfw/ip_fw_dynamic.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c index 283032048845..d26e05e5d159 100644 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c @@ -920,7 +920,8 @@ print_dyn_rule_flags(const struct ipfw_flow_id *id, int dyn_type, #define _SEQ_GE(a,b) ((int)((a)-(b)) >= 0) #define BOTH_SYN (TH_SYN | (TH_SYN << 8)) #define BOTH_FIN (TH_FIN | (TH_FIN << 8)) -#define TCP_FLAGS (TH_FLAGS | (TH_FLAGS << 8)) +#define BOTH_RST (TH_RST | (TH_RST << 8)) +#define TCP_FLAGS (BOTH_SYN | BOTH_FIN | BOTH_RST) #define ACK_FWD 0x00010000 /* fwd ack seen */ #define ACK_REV 0x00020000 /* rev ack seen */ #define ACK_BOTH (ACK_FWD | ACK_REV)