From nobody Thu Sep 19 13:02:57 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8bKZ3D83z5WYHt; Thu, 19 Sep 2024 13:02:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8bKY7314z4q05; Thu, 19 Sep 2024 13:02:57 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726750978; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=h4dZjQCYLeNfxvIWMGtA1yVJWUwmqVM3HZdWzsXO740=; b=DZJ3D0lGh+YGIsLfpFfF/uOQ5veX0kbGJQ5ba/C6gAy7QkouMZAyWWct7GW8aSiDcVU2gA 2Fo5guTpwQURSOeDUmtMPOaU22sfx6Tv4/cqKwIr9BulOK/q7JHlf7pXM57Y3r0rah7eWW BI1l0f8xCIYx3Y+ntqqNlk5lmdRWQxHrCHB/SyPw8E8d21PPDd2btm5N+s9DnUK8WKpqHf 3svwtLQJrNWDGQrBIi/J9qvLEG1ePdtj/cnYz1nmXX1Ie18UlqqiMc+QYn/R/q0mT1VTP4 nE7lEUllvpWGnGRVWEdDQpBiBLAHnJI2JKE3sKT/dLWgmDGuHBLgFXF/dM6DXQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726750978; a=rsa-sha256; cv=none; b=B+rZdEEr+J30sSoiXW8fhEnLDM55Eq3FwyuwbLbYEQzQgECFZh4Z/OpUVKe9Zh/jo6co5X kdYRQPcbvCasb2a796xZsh3vBkkZZ4sBZ12GYS2+JjfFYa5hpGnFRkpG0FKWCncDLtTlSs xU4X5IlTSZOTUfNtMcMTmUwJsf1bwf+Iuf2bXD1e3rjdp6CEuc6uqC+Mqi+gx9bXwLBCo+ Pa9fQ2BCEPGCtrBPtM/8HnlI8YRzEp19dES+2D7+Bcqml0hzdT1/4lG91yTaR97eOYPz5+ L2IxCIIP7PALjYjohcH9bMj56u4j+RVIs2KEZB/d3YN4OGtVWZ3jS7eBfRv3Lg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726750978; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=h4dZjQCYLeNfxvIWMGtA1yVJWUwmqVM3HZdWzsXO740=; b=W4n3ciHcTqJ7znvjbNksreQ8oE2x/ukJCAKd9f89eJv3cnXvIod6Ga3cRJ7TXLkjwjyxHl 1VeGRQs5qHpXlvPk59CdSExKDeQCfdxTT4H7rCGMgBmdTT8sovvvUYh1TBfaRTSza8Ej4R W5nkLxiOa6JTtslvrAirSIN1Fqia/cFVaYBLd4F5+vH4qyVrz5bpNh0XI4WxhKS3/aUkdZ cuXVT6dP6ptn1F+aqgjMb10Ks8trmMf0Lf4fC7aP1JXHCcOm1pBJXIqWOOQ7sszAvkgA77 HjViViH9Wxkn9hw5rmaRuiCuDR4roWzM+ZUVRiE2gxqfA/saDdbjLZzhKZD1gg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X8bKY6dkVz16Bf; Thu, 19 Sep 2024 13:02:57 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48JD2vIN099787; Thu, 19 Sep 2024 13:02:57 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48JD2vpw099784; Thu, 19 Sep 2024 13:02:57 GMT (envelope-from git) Date: Thu, 19 Sep 2024 13:02:57 GMT Message-Id: <202409191302.48JD2vpw099784@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 94c6c986f3c4 - releng/14.1 - pf: be less strict about icmp state checking for sloppy state tracking List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.1 X-Git-Reftype: branch X-Git-Commit: 94c6c986f3c4f2f9bef47b02659cfb2591d837cf Auto-Submitted: auto-generated The branch releng/14.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=94c6c986f3c4f2f9bef47b02659cfb2591d837cf commit 94c6c986f3c4f2f9bef47b02659cfb2591d837cf Author: Kristof Provost AuthorDate: 2024-08-26 14:44:20 +0000 Commit: Mark Johnston CommitDate: 2024-09-19 12:55:44 +0000 pf: be less strict about icmp state checking for sloppy state tracking Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja . Thanks! OK mcbride, henning Approved by: so Security: FreeBSD-EN-24:16.pf MFC after: 1 week Obtained from: OpenBSD, mikeb , 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) (cherry picked from commit b822e3fab468ffbe941d0758d960e1aa46069a38) --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index b057c75dc51c..ed278a5526be 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6666,6 +6666,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) ||