git: 13bf8945c9b6 - releng/13.4 - pf: be less strict about icmp state checking for sloppy state tracking

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Thu, 05 Sep 2024 07:35:38 UTC
The branch releng/13.4 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=13bf8945c9b61aae587529a10646c589835f0c41

commit 13bf8945c9b61aae587529a10646c589835f0c41
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-08-26 14:44:20 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-09-05 07:35:03 +0000

    pf: be less strict about icmp state checking for sloppy state tracking
    
    Sloppy state tracking renders ICMP direction check useless
    and harmful as we might see only half of the connection in
    the asymmetric setups but ignore the state match.  The bug
    was reported and fix was verified by Insan Praja <insan ()
    ims-solusi ! com>.  Thanks!  OK mcbride, henning
    
    MFC after:      1 week
    Obtained from:  OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5)
    (cherry picked from commit b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b)
    
    Approved-by:    re (cperciva)
---
 sys/netpfil/pf/pf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 0991cd39f332..9c1aa4d0a77a 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6089,6 +6089,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
 
 	STATE_LOOKUP(kif, key, direction, *state, pd);
 
+	if ((*state)->state_flags & PFSTATE_SLOPPY)
+		return (-1);
+
 	/* Is this ICMP message flowing in right direction? */
 	if ((*state)->rule.ptr->type &&
 	    (((!inner && (*state)->direction == direction) ||