git: e854c92f30aa - releng/14.0 - pf: be less strict about icmp state checking for sloppy state tracking
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 19 Sep 2024 13:03:29 UTC
The branch releng/14.0 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=e854c92f30aa96a8a3a7f8edd8be9e5ba8a20deb
commit e854c92f30aa96a8a3a7f8edd8be9e5ba8a20deb
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-08-26 14:44:20 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-09-19 12:58:44 +0000
pf: be less strict about icmp state checking for sloppy state tracking
Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning
Approved by: so
Security: FreeBSD-EN-24:16.pf
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5)
(cherry picked from commit b822e3fab468ffbe941d0758d960e1aa46069a38)
---
sys/netpfil/pf/pf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 49bfefa2b6ed..5a7a6563d355 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6175,6 +6175,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
STATE_LOOKUP(kif, key, *state, pd);
+ if ((*state)->state_flags & PFSTATE_SLOPPY)
+ return (-1);
+
/* Is this ICMP message flowing in right direction? */
if ((*state)->rule.ptr->type &&
(((!inner && (*state)->direction == direction) ||