Date: Tue, 25 Jun 2019 05:37:57 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 238796] ipfilter: fix unremovable rules and rules checksum for comparison Message-ID: <bug-238796-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238796 Bug ID: 238796 Summary: ipfilter: fix unremovable rules and rules checksum for comparison Product: Base System Version: 12.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: msl0000023508@gmail.com Created attachment 205322 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D205322&action= =3Dedit freebsd-ipfilter-rule-compare-fix.diff This patch fix 2 bugs. 1. Unremovable rules: A filter rule could becomes non-removable if it contains 'route-to' (displa= yed as 'to' in ipfstat(8) output), 'reply-to' or 'due-to' keyword to specify an interface name for routing. For example: [root@x ~]# ipfstat -Rion # empty list for ipfilter(out) @1 ... @2 ... @3 ... @4 pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto tcp from 10.12.4.0/24 port =3D 22 to any @5 pass in quick on vboxnet0 to tun0:10.1.202.11 inet from 10.0.5.52/32 to = any [root@x ~]# echo "pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto = tcp from 10.12.4.0/24 port =3D 22 to any" | ipf -r -f - 29:1:ioctl(delete rule): rule not found for removing [root@x ~]# echo "pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto = tcp from 10.12.4.0/24 port =3D 22 to any" | ipf -f - [root@x ~]# ipfstat -Rion # empty list for ipfilter(out) @1 ... @2 ... @3 ... @4 pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto tcp from 10.12.4.0/24 port =3D 22 to any @5 pass in quick on vboxnet0 to tun0:10.1.202.11 inet from 10.0.5.52/32 to = any @6 pass in quick on vboxnet0 to tun0:10.1.202.11 inet proto tcp from 10.12.4.0/24 port =3D 22 to any As showing by the output, the rule @4 cannot be removed by using 'ipf -r'; trying to add the exactly same rule succeed, as rule @6; but duplicated rul= es are not allowed by the ipfilter design. Rule @5 has the same issue. The cause of this bug is when comparing 2 rules, the code failed to exclude some volatile variables such as pointers and index numbers to a volatile ar= ray. The pointers included in rules comparison are 'fd_ptr' in 'frdest_t', which= are turn be included as 'fr_tifs' and 'fr_dif' in 'struct frentry', the rule en= try structure. The index numbers are 'fr_ifnames' in 'struct frentry', and 'fd_name', 'fr_tifs', 'fr_dif'; all those numbers are indexing strings in a= rray 'fr_names' in 'struct frentry'; the actual strings should be compared inste= ad of the indexes, since the string sequence inside 'fr_ifnames' may differ ev= en between 2 same rules. Another variable should be excluded from comparison is 'fd_local' in 'frdest_t'. This variable is a hit for the code to determine whether an add= ress is at local; it shouldn't be compared, because this could be changed during runtime (an address was added to an interface after a rule was added). 2. Inefficient rule checksum There is a member 'fr_cksum' in 'struct frentry'; it was designed to speedup rules comparison; see https://svnweb.freebsd.org/base/stable/12/sys/contrib/ipfilter/netinet/fil.= c?revision=3D349223&view=3Dmarkup#l4922 This above code calculates first part of the checksum starting from member 'fr_func', ending at 'fr_chsum'. However in ipfilter revision '2580062 from= /to targets should be able to use any interface name; 2605045 destination lists aren't loaded; 2605049 destination lists need testing; 2637667 pool stats structures should not have pointers; 2644504 cannot list configured destina= tion lists; 2644536 destination lists need more selection policies' branch 'v5-1-RELEASE' on 2009-03-08 09:08:32, the member 'fr_chsum' was moved, sit= ting before 'fr_func', causing this calculation be skipped. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238796-227>