From nobody Fri Jun 27 11:13:10 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bTCbC0Zfnz5ydxy; Fri, 27 Jun 2025 11:13:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bTCbB2BNDz4LVf; Fri, 27 Jun 2025 11:13:10 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1751022790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zmF5QJg0VKq77yEQjSS5EQQnqY5SxZIAc3ZUxLasOkI=; b=GoQ7O9GEWQX1TcGCWPDin0hcFtD3NyXWEk5++9qbXn8Kh5SrEkX+3rCbQH8+6kXd5Y5dwO bK/Q5O4Miihvc8uUzBlGF9eZG++EXoPBqGV6YFJ4lKu1rtTuH5n+JldK+zje0B8fDU/M1n wyeXi6LV/ZzIk+1x9KnQGrGwNK5Rf8EyTelloNfnPyzL6kZ6y/dbBwRT4ijjQE0PsyJhr6 kASM0JmJGmvDPWgicvTdcrlWUVaILDFWqW7S7iuiLg+LKIOi5rlH/z5sITiBe/zImn7ZIQ EPmJsIEy8d5ZWypPzdtNjSccZAVK0gtqTTznp87OMKpmwjFgZsJ0EZY9Uha2ww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1751022790; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zmF5QJg0VKq77yEQjSS5EQQnqY5SxZIAc3ZUxLasOkI=; b=CdJxWQmz6k3jwS7JMMj5ssAViuLhMjOjTX1rJLGsM68wolBY8obmQnnVJ48TrUxLHio49X H30BI8WCD9zwsGcdXOnRHvTdcoSpT0lErdLXayChOjplD2GHT0tqPZduurYIofoWw5ciHH +5s81ahwNIY+YbiL0p+QnENBDhr/61xE/vQuvrVmF9cjyWw+8JYVqT/Ql/ul0NhlhFOZ7o Sfdv7nsEnoezbX7DVL4+wXAJMjsUPtpwiPBCKkEo3eQgnLBL1VPXXceauelMKnNfOK0TIN ytVuYAxjiBuV1zKlQxSDwe0rVKnxqv7qisqjZFuGFaE5O5zEPoxSnrZdAohLaA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1751022790; a=rsa-sha256; cv=none; b=FJNX1bDtC5QrgauRnTAbQlnSrGi+NTBmdPmKYlWIIen4/zwDHgEP6Ucn8sK4kYP+Ei0Xjx WK1p6EdjlxC751ZTNqqur6aSwUFaJML7W+FtTn5FlDpEk2FBWVtacbuVjvYE9Mwri7RMfs 4oAEQtnTx6LOvczuB4+Qidkok1HxIkmRSNefb4OpBs2G+MhetFjBsRltqcdK2pfD7b8r+e wxrcp3XTUac423yHZSZeQBoXWXmtC7N0rz/TXuGz/BBtORGuhlosWDS3U5X4ZuqH7An35T zsI+26V4k1vQPPZZ+Kuk3CqyYC09n+OIr8r/mQZY93DOWlA4MYaqqfoezH486Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bTCbB1nhDzmXY; Fri, 27 Jun 2025 11:13:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 55RBDANt098871; Fri, 27 Jun 2025 11:13:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 55RBDARW098868; Fri, 27 Jun 2025 11:13:10 GMT (envelope-from git) Date: Fri, 27 Jun 2025 11:13:10 GMT Message-Id: <202506271113.55RBDARW098868@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: e7abf8829d8d - main - pf: fix ICMP ECHO handling of ID conflicts List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e7abf8829d8d496a8753946f67fb2016851b4f7c Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=e7abf8829d8d496a8753946f67fb2016851b4f7c commit e7abf8829d8d496a8753946f67fb2016851b4f7c Author: Damir Bikmuhametov AuthorDate: 2025-06-26 17:26:14 +0000 Commit: Kristof Provost CommitDate: 2025-06-27 11:12:44 +0000 pf: fix ICMP ECHO handling of ID conflicts After applying FreeBSD-SA-24:05.pf, a problem with ICMP ECHO passing through PF NAT was raised: two or more Windows workstations cannot ping the same destination address at the same time. More precisely, only one workstation pings normally, while the pings of the others are rejected by the packet filter. The thing is that Windows always uses the same ICMP ID (1). Therefore, the state is created only for the workstation that started pinging earlier. In the pf_get_sport() function, we compare *nport with the ICMP_ECHO constant, while icmptype (virtual_type actually) is passed in the pd->ndport parameter. MFC after: 2 weeks Reviewed by: kp --- sys/netpfil/pf/pf_lb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 4a40ef6b845a..5e7865e4fac5 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -348,7 +348,7 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_krule *r, goto failed; if (pd->proto == IPPROTO_ICMP) { - if (*nport == htons(ICMP_ECHO)) { + if (pd->ndport == htons(ICMP_ECHO)) { low = 1; high = 65535; } else @@ -356,7 +356,7 @@ pf_get_sport(struct pf_pdesc *pd, struct pf_krule *r, } #ifdef INET6 if (pd->proto == IPPROTO_ICMPV6) { - if (*nport == htons(ICMP6_ECHO_REQUEST)) { + if (pd->ndport == htons(ICMP6_ECHO_REQUEST)) { low = 1; high = 65535; } else