From nobody Thu Sep 05 07:35:38 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzrkL6cYTz5VX2H; Thu, 05 Sep 2024 07:35:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzrkL4K00z4Xl2; Thu, 5 Sep 2024 07:35:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725521738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UlSMKpJWQLU6/qlCs7d/S++IwP1gT3vOL7atOlUo7hw=; b=QH4BvqWjlCAfE7qdYhtVBb9UlLHd8hdzyg51WmYe6t5uZqQFl1pni9KRoHhGLnYAB1iS1k ZKB0zP9PO9LJM6RAsnFhFkDqANly5iAIgPLQSHY2M1mrp6ShxlpQ/KIEPhPjEAKUDBYwsa XMIJzvt9pOzRYQJ18K7IpdbvJoZT+hz+FxoiKuLp1a38A8OKZrqpeEEo1yN+DpLTd494mQ E0lNdB5IIaEE2GU4CCP2mhhKTyUPjD1pOKYN2fQdjPZsWMNrMz7a9kxHP1/j2IMU7WcEqk WMflZx0cIYpjkHE1Q3Nx08LqmUc3ewz4jLzIaOXTFa7xmLtRiDw51X0VhIK7Aw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725521738; a=rsa-sha256; cv=none; b=LEpnBwLwHwkWoMBPUUEAJhh5qFV+G3zqrz9TDQQtEHf6hiDRljq+K8dWx0XNwR7aZ4FTXz L0nb5F9BdqJYzUCAF4vUhfVvddezFtd0HLDlOV5zntWoOzRUZi1YtLCzF0AkJ0eHY/yUXV OM9E0H/tK+bfx/HMm/PNnNPugjj6uDAXbyNuIgJNP7HPyTnd9NNeUPym3g7+iSldMnEpSL sMGJA06wiI82H9LPpQ7vfnJOLlqXjHdYBau7ULccOI5++EXhnNNa1UBoi4GIp6wRRNQUht 9IaB/qa/cx8a14nhN+0Vv22Gv7gBaXBYwZPXcx6xX+3p8ukqaCo4ix3JuJylkw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725521738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=UlSMKpJWQLU6/qlCs7d/S++IwP1gT3vOL7atOlUo7hw=; b=Keog1rdUTCvRfIw+m3o8DxfAB+pS4cH0Kt/j6U61JBALki+BnmMw+E2VTB6v3P7AUtwMGQ I9Aa5IkXfVXSMK69528oeoM0dZf6O99Ip0sW0T8T4J6ixMAQNZeegFBf3BhpVkZaynOO98 /PtVo4KjUQETSoGv7CtJJ+5p8x7/LTuSuUYrC50G21qwrPlnWVNdpM5gTzR0kUHViytFN9 l6hksh/7cZsq/Qx3bw4JakH7xeWH9KzaJoD6pwHbIFb2ysU9TeQ6tvLDUFZ13EMRJpEjOc 9swUpffSZbOvqk9QEMyTQ3dMJO6HazjYNjEAta5HiSk3BR8NY6L3B/VG9wwPrg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzrkL3vJWz105F; Thu, 5 Sep 2024 07:35:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4857Zc6I037181; Thu, 5 Sep 2024 07:35:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4857ZcFN037178; Thu, 5 Sep 2024 07:35:38 GMT (envelope-from git) Date: Thu, 5 Sep 2024 07:35:38 GMT Message-Id: <202409050735.4857ZcFN037178@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 13bf8945c9b6 - releng/13.4 - pf: be less strict about icmp state checking for sloppy state tracking List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.4 X-Git-Reftype: branch X-Git-Commit: 13bf8945c9b61aae587529a10646c589835f0c41 Auto-Submitted: auto-generated The branch releng/13.4 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=13bf8945c9b61aae587529a10646c589835f0c41 commit 13bf8945c9b61aae587529a10646c589835f0c41 Author: Kristof Provost AuthorDate: 2024-08-26 14:44:20 +0000 Commit: Kristof Provost CommitDate: 2024-09-05 07:35:03 +0000 pf: be less strict about icmp state checking for sloppy state tracking Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja . Thanks! OK mcbride, henning MFC after: 1 week Obtained from: OpenBSD, mikeb , 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) (cherry picked from commit b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b) Approved-by: re (cperciva) --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 0991cd39f332..9c1aa4d0a77a 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6089,6 +6089,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, direction, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) ||