https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276732
John Baldwin <j...@freebsd.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|New |Open
--- Comment #2 from John Baldwin <j...@freebsd.org> ---
(Hit Enter too soon, ignore previous comment)
I agree with the diagnosis. I suspect though that the bug is a bit bigger as
currently we always skip over the first action opcode. The fact that 'match'
is set to 1 allows this to "work" if the first action is "accept" which is
usually the action for keep-state rules. However, I suspect that if you have a
'log' action on a keep-state rule we don't actually log packets that match an
existing dynamic rule since we skip over the "log" opcode due to this bug.
A bit more background: in this set of loops in the kernel, you can think of
'cmd' as being a program counter (PC) for an ISA and 'cmdlen' is the implicit
PC increment to perform after handling the current opcode. Since this action
is triggering the equivalent of a branch, it resets 'cmd' and 'l' as is done at
the start of the inner for loop and sets 'cmdlen' to 0 to avoid turn the
implicit PC increment at the end of the for loop into a nop.
I think though that the patch should drop the 'match = 1' as that is now just
noise. Also, there is no need to keep the dead 'break' statement. I've cc'd
ae@ to see if he has any thoughts, but if there's no other feedback in the next
week or so I'll commit the tweaked fix.
--
You are receiving this mail because:
You are the assignee for the bug.
