Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 13 Feb 2025 12:39:05 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 25dbba4fc6e1 - main - pf: improve UDP-in-ICMP handling
Message-ID:  <202502131239.51DCd5bT075585@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=25dbba4fc6e152a05e091180b2e031ab495ba337

commit 25dbba4fc6e152a05e091180b2e031ab495ba337
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-02-10 15:33:18 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-02-13 12:38:44 +0000

    pf: improve UDP-in-ICMP handling
    
    Translate port numbers for inner udp packets when they're returned
    as a payload of icmp error messages. Makes traceroute6 operate
    across a nat64 gateway.
    
    prompted by sthen, ok henning
    
    Previous udp port number rewrite fix turned out to be a work around
    the incorrect pf_change_ap call. While here make the tcp case use
    pf_change_ap since it shares the same properties.  ok henning
    
    Obtained from:  OpenBSD, mikeb <mikeb@openbsd.org>, 7a304f30d6
    Obtained from:  OpenBSD, mikeb <mikeb@openbsd.org>, 5d4200d304
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 65eb5736d43d..1b0eb6d6dd80 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7972,8 +7972,12 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
 						pd->proto = IPPROTO_ICMP;
 					else
 						pd->proto = IPPROTO_ICMPV6;
-					th.th_sport = nk->port[sidx];
-					th.th_dport = nk->port[didx];
+					pf_change_ap(pd->m, pd2.src, &th.th_sport,
+					    pd->ip_sum, &th.th_sum, &nk->addr[pd2.sidx],
+					    nk->port[sidx], 1, pd->af, nk->af);
+					pf_change_ap(pd->m, pd2.dst, &th.th_dport,
+					    pd->ip_sum, &th.th_sum, &nk->addr[pd2.didx],
+					    nk->port[didx], 1, pd->af, nk->af);
 					m_copyback(pd2.m, pd2.off, 8, (c_caddr_t)&th);
 					PF_ACPY(pd->src,
 					    &nk->addr[pd2.sidx], nk->af);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202502131239.51DCd5bT075585>