[Bug 276732] IPFW keep-state rules with untag do not go through parent rule cmd
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 09 Feb 2024 20:28:06 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276732 John Baldwin <jhb@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open --- Comment #2 from John Baldwin <jhb@FreeBSD.org> --- (Hit Enter too soon, ignore previous comment) I agree with the diagnosis. I suspect though that the bug is a bit bigger as currently we always skip over the first action opcode. The fact that 'match' is set to 1 allows this to "work" if the first action is "accept" which is usually the action for keep-state rules. However, I suspect that if you have a 'log' action on a keep-state rule we don't actually log packets that match an existing dynamic rule since we skip over the "log" opcode due to this bug. A bit more background: in this set of loops in the kernel, you can think of 'cmd' as being a program counter (PC) for an ISA and 'cmdlen' is the implicit PC increment to perform after handling the current opcode. Since this action is triggering the equivalent of a branch, it resets 'cmd' and 'l' as is done at the start of the inner for loop and sets 'cmdlen' to 0 to avoid turn the implicit PC increment at the end of the for loop into a nop. I think though that the patch should drop the 'match = 1' as that is now just noise. Also, there is no need to keep the dead 'break' statement. I've cc'd ae@ to see if he has any thoughts, but if there's no other feedback in the next week or so I'll commit the tweaked fix. -- You are receiving this mail because: You are the assignee for the bug.