Page MenuHomeFreeBSD
Differential D51460

ipfw: add protected rule for orphaned dynamic states
ClosedPublic
Actions

Authored by ae on Jul 22 2025, 8:21 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Oct 12, 1:07 PM
Unknown Object (File)
Sat, Oct 11, 7:26 AM
Unknown Object (File)
Sat, Oct 11, 7:26 AM
Unknown Object (File)
Sat, Oct 11, 7:26 AM
Unknown Object (File)
Sat, Oct 11, 12:09 AM
Unknown Object (File)
Fri, Oct 3, 1:21 PM
Unknown Object (File)
Fri, Oct 3, 5:10 AM
Unknown Object (File)
Fri, Oct 3, 1:37 AM
View All 42 Files
Subscribers
donner
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
glebius
melifaro
zlei
Commits
rG877e70e6087f: ipfw: add protected rule for orphaned dynamic states
Summary

When we have enabled V_dyn_keep_states, states that become ORPHANED
will keep pointer to original rule. Then this rule pointer is used
to apply rule action after ipfw_dyn_lookup_state().
Some rule actions use IPFW_INC_RULE_COUNTER() directly to this rule
pointer, but other actions use chain->map[f_pos] instead. The last
case leads to incrementing counters on the wrong rule, because
ORPHANED states have not parent rule in chain->map[].
To solve this we add protected rule, that will be matched only by
packets that are handled by ORPHANED states.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 65613
Build 62496: arc lint + arc unit

Event Timeline

ae created this revision.Jul 22 2025, 8:21 AM
ae held this revision as a draft.
Herald added subscribers: vegeta_tuxpowered.net, glebius, donner and 2 others. · View Herald TranscriptJul 22 2025, 8:21 AM
Harbormaster completed remote builds in B65613: Diff 158888.Jul 22 2025, 8:21 AM
ae published this revision for review.Jul 22 2025, 8:21 AM
ae added reviewers: glebius, melifaro, zlei.
This revision was not accepted when it landed; it landed in state Needs Review.Aug 3 2025, 10:08 AM
Closed by commit rG877e70e6087f: ipfw: add protected rule for orphaned dynamic states (authored by ae). · Explain Why
This revision was automatically updated to reflect the committed changes.
ae added a commit: rG877e70e6087f: ipfw: add protected rule for orphaned dynamic states.

Revision Contents
Changeset List

PathSize
sys/
netpfil/
ipfw/
2 lines
39 lines

Diff 158888

View Options

sys/netpfil/ipfw/ip_fw2.c

Loading...
View Options

sys/netpfil/ipfw/ip_fw_dynamic.c

Loading...