[Bug 276732] IPFW keep-state rules with untag do not go through parent rule cmd

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276732

John Baldwin <jhb@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Open

--- Comment #2 from John Baldwin <jhb@FreeBSD.org> ---
(Hit Enter too soon, ignore previous comment)

I agree with the diagnosis.  I suspect though that the bug is a bit bigger as
currently we always skip over the first action opcode.  The fact that 'match'
is set to 1 allows this to "work" if the first action is "accept" which is
usually the action for keep-state rules.  However, I suspect that if you have a
'log' action on a keep-state rule we don't actually log packets that match an
existing dynamic rule since we skip over the "log" opcode due to this bug.

A bit more background: in this set of loops in the kernel, you can think of
'cmd' as being a program counter (PC) for an ISA and 'cmdlen' is the implicit
PC increment to perform after handling the current opcode.  Since this action
is triggering the equivalent of a branch, it resets 'cmd' and 'l' as is done at
the start of the inner for loop and sets 'cmdlen' to 0 to avoid turn the
implicit PC increment at the end of the for loop into a nop.

I think though that the patch should drop the 'match = 1' as that is now just
noise.  Also, there is no need to keep the dead 'break' statement.  I've cc'd
ae@ to see if he has any thoughts, but if there's no other feedback in the next
week or so I'll commit the tweaked fix.

-- 
You are receiving this mail because:
You are the assignee for the bug.