State creation with reversed 5-tuple causes incorrect behavior with non-terminating rules

[ol-imorozko]

Now the dynamic rules are created with a reversed 5-tuple, meaning the source and destination addresses and ports are swapped. This behavior deviates from the expected functionality as described in the ipfw specification.

According to the ipfw man page:

Dynamic rules are created when a packet matches a keep-state, record-state, limit or set-limit rule, causing the creation of a dynamic rule which will match all and only packets with a given protocol between a src-ip/src-port dst-ip/dst-port pair of addresses (src and dst are used here only to denote the initial match addresses, but they are completely equivalent afterwards). Rules created by keep-state option also have a :flowname taken from it. This name is used in matching together with addresses, ports and protocol. Dynamic rules will be checked at the first check-state, keep-state or limit occurrence, and the action performed upon a match will be the same as in the parent rule.

This can lead to incorrect behavior when dealing with non-terminating rules.

Example Configuration

:BEGIN
add skipto :IN ip from any to any in

:IN
add check-state
add dump ring1 ip from any to any
add allow udp from 10.0.0.0/24 to any 53 record-state
add deny ip from any to any

Expected Behavior

• The first direct packet should match the dump rule and create a state.
• The second packet should be matched on check-state and not trigger the dump rule again.

Current Behavior

• The first direct packet matches the dump rule and creates a state with the reversed 5-tuple.
• The second packet, expected to match the check-state, does not find the state due to the reversed 5-tuple and thus matches the dump rule again.