Date: Wed, 4 Sep 2024 08:53:33 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: b4b8b2fc9bd2 - stable/13 - pf: be less strict about icmp state checking for sloppy state tracking Message-ID: <202409040853.4848rXgT005824@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b commit b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-08-26 14:44:20 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-09-04 08:53:06 +0000 pf: be less strict about icmp state checking for sloppy state tracking Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja <insan () ims-solusi ! com>. Thanks! OK mcbride, henning MFC after: 1 week Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ef6a2bd7de40..db7d8659baec 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6098,6 +6098,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, direction, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) ||
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202409040853.4848rXgT005824>