Date: Tue, 27 Aug 2024 11:42:26 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute) Message-ID: <bug-280701-7501-lvzSaHi1Rd@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-280701-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-280701-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280701 --- Comment #58 from Franco Fichtner <franco@opnsense.org> --- I found these inconsistencies in the ported patches from OpenBSD: diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ef488bad26d..c9180e877d5 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -1878,7 +1878,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type, */ *icmp_dir =3D PF_IN; *virtual_type =3D MLD_LISTENER_QUERY; - *virtual_id =3D 0; + *virtual_id =3D 0; /* XXX missing fake id */ break; } case MLD_MTRACE: @@ -1892,7 +1892,8 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type, *icmp_dir =3D PF_IN; case ND_NEIGHBOR_ADVERT: { *virtual_type =3D ND_NEIGHBOR_SOLICIT; - *virtual_id =3D 0; + *multi =3D PF_ICMP_MULTI_SOLICITED; + *virtual_id =3D 0; /* XXX missing fake id */ break; } >From early testing, however, it's not working any better with plugging back PF_ICMP_MULTI_SOLICITED only. I'm unsure about the mock id effect. But wh= at I can say is that it's better to skip dealing with PF_ICMP_MULTI_SOLICITED as OpenBSD did in 2012 too: https://github.com/openbsd/src/commit/2633ae8c4c8a64 Another patch from 2023 is relevant as well as it disables half the state tracking for unsolicited advertise cases: https://github.com/openbsd/src/commit/49f39043a02d6 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280701-7501-lvzSaHi1Rd>