From nobody Sun Sep  1 15:06:11 2024
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WxZw41YhZz5MQsg;
	Sun, 01 Sep 2024 15:06:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4WxZw36nkPz4YBg;
	Sun,  1 Sep 2024 15:06:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1725203172;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jEu8PHdAMyK8l0DZKnSZhg4V0S80m0OuUXmXvdlENyI=;
	b=Qlj1tdlZNFJgRMyoEy9sZVQx0MGaF9ysXzwGyaKxffBLM/7pOQczT1PJ3yI+xzAq9MWg0k
	oT7hjjNzoFGF/exEauK7AJEkjT/+m20kaUoJyqq+kREZFCUO7m2vPqFo02i9mtp28De8Nv
	PH1OYWBPKlSpVW1HRSxVQQ2xgtBweIluYUgvwO1rq8VsdEuML9lzwRr/58nXD8IZp7/f7Z
	QhowY49xc+Xa8j4P+a7QVgxBAWibuWNRnKWBHi5gx+jw9HcxmHcmaZl1DHZ+eNOQrHj5qA
	UJfYhXLi6eg9zBWYW0+iSqlqEdIS/rB1wmt34vSQNyIaaarxYJLC3fm3O5oMqA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725203171; a=rsa-sha256; cv=none;
	b=vJMt0jCxyM+XvjVd792bxdxNzYqUQkTCjTSql7/YxXBZ41spjV24PKbUSKq4ue44Ik7yDa
	/yxHq4O68pFt8BUUgpzPG+fTwIua9ASf2aMEIBJaTXvLWWATU7YVcwsKp7UfmLD7OU0bfX
	va8abHxRktaksu8YrhtE6KfbD8CGynbfkOzBIdjHC9ewo6K0mDfBrxry3JvM9j1MtIW4BB
	2ZeQP40eUTA2lX/UwvTJFpGQUGy6tLyNIk1xRIdxpkcVpDIkYxgKV1ECk9WaTVYZC1U7DF
	SOESxri/tSj09J1Ex28bfaLk8c1bSybGLk5U4pdn8x1uvRXQ5zKWURdO/hDBEw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1725203171;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jEu8PHdAMyK8l0DZKnSZhg4V0S80m0OuUXmXvdlENyI=;
	b=niX+6EL4yN3a/+YPWiuxgFkvjI1V/y9MboGlsDbHXE+SYp9NwfhQ08iZdMzHbp0yPnkUrk
	ZzCLMtRjUdZAeXVOlb4c6Qq1bFcClzqlcpF12jZOJsuVKtf9d49lcJVZv2CreA4pSOM+zC
	2mvMX7dtoEVaM0CfJzVnBFJW6pDSYSlOp+eVCIvoFQ+eojuj5sm5/9NON5D1Mut2ipHzD7
	4lyDGaMO/gC4APjxqntCX243iFpELklZXcKU96hPqOPRzfihjKzaPS0q5AHNlzSlk8M7if
	33h813jMiHIrQL98xW6zqfTOXCUlOMSDQnjD1InwVZZ8zYU/vMeBcnAl0MBl3Q==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WxZw36MHqzZ59;
	Sun,  1 Sep 2024 15:06:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 481F6BCR002661;
	Sun, 1 Sep 2024 15:06:11 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 481F6BGK002658;
	Sun, 1 Sep 2024 15:06:11 GMT
	(envelope-from git)
Date: Sun, 1 Sep 2024 15:06:11 GMT
Message-Id: <202409011506.481F6BGK002658@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 3da3eb6081a2 - main - pf: be less strict about icmp
  state checking for sloppy state tracking
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5

commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-08-26 14:44:20 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-09-01 15:05:29 +0000

    pf: be less strict about icmp state checking for sloppy state tracking
    
    Sloppy state tracking renders ICMP direction check useless
    and harmful as we might see only half of the connection in
    the asymmetric setups but ignore the state match.  The bug
    was reported and fix was verified by Insan Praja <insan ()
    ims-solusi ! com>.  Thanks!  OK mcbride, henning
    
    MFC after:      1 week
    Obtained from:  OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 94c333e67c57..e28bad8750f9 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6740,6 +6740,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
 
 	STATE_LOOKUP(kif, key, *state, pd);
 
+	if ((*state)->state_flags & PFSTATE_SLOPPY)
+		return (-1);
+
 	/* Is this ICMP message flowing in right direction? */
 	if ((*state)->rule.ptr->type &&
 	    (((!inner && (*state)->direction == direction) ||