From owner-freebsd-net@freebsd.org Fri Jul 19 19:56:02 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 94700AA640 for ; Fri, 19 Jul 2019 19:56:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 75CF883EF3 for ; Fri, 19 Jul 2019 19:56:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 755A3AA63F; Fri, 19 Jul 2019 19:56:02 +0000 (UTC) Delivered-To: net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 751ABAA63E for ; Fri, 19 Jul 2019 19:56:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 56BE783EF2 for ; Fri, 19 Jul 2019 19:56:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2A2AE26309 for ; Fri, 19 Jul 2019 19:56:02 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x6JJu2K5099210 for ; Fri, 19 Jul 2019 19:56:02 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x6JJu2Uw099209 for net@FreeBSD.org; Fri, 19 Jul 2019 19:56:02 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 238796] ipfilter: failure to detect the same rules when arguments ordered differently Date: Fri, 19 Jul 2019 19:56:02 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: cy@FreeBSD.org X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: cy@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Rspamd-Queue-Id: 56BE783EF2 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.98 / 15.00]; local_wl_from(0.00)[freebsd.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.98)[-0.982,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jul 2019 19:56:02 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238796 --- Comment #29 from Cy Schubert --- I am only able to reproduce this problem when the on argument is moved ahea= d of the reply-to. root@ipftest:~ # echo "pass in quick reply-to tun0:10.1.1.1 on tun0 proto t= cp from any to 10.1.1.11 port =3D 22 flags S/FSRPAU keep state" | ipf -f - root@ipftest:~ # echo "pass in quick reply-to tun1:10.1.2.1 on tun1 proto t= cp from any to 10.1.2.11 port =3D 22 flags S/FSRPAU keep state" | ipf -f - root@ipftest:~ # echo "pass in quick reply-to tun0:10.1.1.1 on tun0 proto t= cp from any to 10.1.1.11 port =3D 22 flags S/FSRPAU keep state" | ipf -f - 32:1:ioctl(add/insert rule): rule already exists root@ipftest:~ # echo "pass in quick on tun0 reply-to tun0:10.1.1.1 proto t= cp from any to 10.1.1.11 port =3D 22 flags S/FSRPAU keep state" | ipf -f - root@ipftest:~ # echo "pass in quick on tun0 reply-to tun0:10.1.1.1 proto t= cp from any to 10.1.1.11 port =3D 22 flags S/FSRPAU keep state" | ipf -f - 32:1:ioctl(add/insert rule): rule already exists root@ipftest:~ #=20 root@ipftest:~ # uname -a FreeBSD ipftest 13.0-CURRENT FreeBSD 13.0-CURRENT r350103 GENERIC amd64 root@ipftest:~ #=20 root@ipftest:~ # kldstat Id Refs Address Size Name 1 9 0xffffffff80200000 24ffe50 kernel 2 1 0xffffffff82819000 2538 intpm.ko 3 1 0xffffffff8281c000 a50 smbus.ko 4 1 0xffffffff8281d000 2498 filemon.ko 5 1 0xffffffff82820000 6baa0 ipl.ko root@ipftest:~ #=20 oot@ipftest:~ # ipfstat -Rion # empty list for ipfilter(out) @1 pass in quick on tun0 reply-to tun0:10.1.1.1 inet proto tcp from any to 10.1.1.11/32 port =3D 22 flags S/FSRPAU keep state @2 pass in quick on tun1 reply-to tun1:10.1.2.1 inet proto tcp from any to 10.1.2.11/32 port =3D 22 flags S/FSRPAU keep state @3 pass in quick on tun0 reply-to tun0:10.1.1.1 inet proto tcp from any to 10.1.1.11/32 port =3D 22 flags S/FSRPAU keep state root@ipftest:~ #=20 root@ipftest:~ # ipf -ZFa root@ipftest:~ # echo "pass in quick reply-to tun0:10.1.1.1 on tun0 proto t= cp from any to 10.1.1.11 port =3D 22 flags S/FSRPAU keep state" | ipf -f - root@ipftest:~ # echo "pass in quick reply-to tun1:10.1.2.1 on tun1 proto t= cp from any to 10.1.2.11 port =3D 22 flags S/FSRPAU keep state" | ipf -f - root@ipftest:~ # echo "pass in quick reply-to tun0:10.1.1.1 on tun0 proto t= cp from any to 10.1.1.11 port =3D 22 flags S/FSRPAU keep state" | ipf -f - 32:1:ioctl(add/insert rule): rule already exists root@ipftest:~ #=20 root@ipftest:~ # ipfstat -Rion=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20 # empty list for ipfilter(out) @1 pass in quick on tun0 reply-to tun0:10.1.1.1 inet proto tcp from any to 10.1.1.11/32 port =3D 22 flags S/FSRPAU keep state @2 pass in quick on tun1 reply-to tun1:10.1.2.1 inet proto tcp from any to 10.1.2.11/32 port =3D 22 flags S/FSRPAU keep state root@ipftest:~ #=20 As you can see it rejects the second attempt to load the same rule, however rearranging the on argument (first example) adds a shadowed rule which it should have rejected. This is probably because the additional interface nam= es appended to frentry_t are out of order, causing fr_ifnames to also be out of order. I have yet to test this hypothesis (yet to decide whether to impleme= nt a new SDT DTrace probe or simply expose ipf_rule_compare to allow FBT probes). The tests above were using the image on ftp.freebsd.org in a virtualbox vm which itself is running on 13.0-CURRENT. --=20 You are receiving this mail because: You are on the CC list for the bug.=