From nobody Thu Sep 19 13:03:29 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8bL95kTMz5WY8b; Thu, 19 Sep 2024 13:03:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8bL92NmRz4rFN; Thu, 19 Sep 2024 13:03:29 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726751009; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W32ZUwLf5E5jq4JA+3OriNmX/EUH23WCkeq2sAkpirA=; b=tJPvqB3pJ6EOs9G+Cm4yrwaeSd8qv03LPE+0yFeJKYMKG2AWpgi5dKN66V5Jx/wxfgiOPx ppE/qQNXQqqbMonSznEp1L5LgwwB3ppwIS9CgQBfIh8BPuAVIBURzVTxyML7Ye5AL5l2st 2Sq0J6Km3DY6xi7+G1qV44hdKDFs29WSjHLgntPfWbeC69CHKI5OuLuRSMwD8ii4aFBl2s IpBml5CHbc/rWUdp165W3Cwy9jFiLBE/fkXX0fkZePK5IRN+Ygw9wWRSFc5IpJBkBa66YU uScOYfiWwvhO12YeRsA1FQeo0XcR55qulBRz7qbCnmL/JbNtETxxuPCUx1/InQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726751009; a=rsa-sha256; cv=none; b=aTHVbQ/5kKe4IXcOg/zz4JsNxFKbIP8kGQhqH15a/eW50zz81ylGjg3nD8g06JSWtGpgCx svmEHspDjPmTqYCDIKVrshMwMIOs2BmRiTJA6n1oPJzww7z69YYzbUgmTaX/UvkIYpgUjX kafLU6V8Nd6V3xnT9+3QPu4HJCz70axczMi1ywKf8OBoU06NQAqVNsXuKWCj9yNvUkmPTk aftzG/WyNUV2/ajEUdWc8mPbXqr4J3iukW24kZ5e22vZ9c/VTcS6e3qIT3uQuAjwo/0Blt 3LAIK/G5d4YmjyltnexrpKnMEwDQbVqpB7og53Eo1aoFot5/AkzAOaR37G6jEQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726751009; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=W32ZUwLf5E5jq4JA+3OriNmX/EUH23WCkeq2sAkpirA=; b=wq5Sf0NesUoJZQHQG8vkeGnQFqPIpIEoow6scbCKLwNFNCt/Vp9erYx9r7FcqKdOs9irQF kptirDJIm0Yj9Buwqtwr5crW00Q7mcVVW4nSybqSkXqknE/ox9c9YVgQSScE+TZMrI2pAb fj7CO1j/WcMjVzo3xjVCyb+4/QRP0qK460rZanrKoh09htbjQ0oQtkW8/H03IF28UdJMgT wk4vFW0xUxye6OnTaOcakmAoacLD5PY3euFujqTHxuU/QHtSeijAVjGTaEOa5Z9IsIl0NZ DVNbmfTNlzbexHXsBFKR/fs6Gex3OkVtOfbzqeqLZPI0b2DVturjr/mDrTpVMg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X8bL91zCMz15tq; Thu, 19 Sep 2024 13:03:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48JD3T0u000411; Thu, 19 Sep 2024 13:03:29 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48JD3TdU000407; Thu, 19 Sep 2024 13:03:29 GMT (envelope-from git) Date: Thu, 19 Sep 2024 13:03:29 GMT Message-Id: <202409191303.48JD3TdU000407@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: e854c92f30aa - releng/14.0 - pf: be less strict about icmp state checking for sloppy state tracking List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: e854c92f30aa96a8a3a7f8edd8be9e5ba8a20deb Auto-Submitted: auto-generated The branch releng/14.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e854c92f30aa96a8a3a7f8edd8be9e5ba8a20deb commit e854c92f30aa96a8a3a7f8edd8be9e5ba8a20deb Author: Kristof Provost AuthorDate: 2024-08-26 14:44:20 +0000 Commit: Mark Johnston CommitDate: 2024-09-19 12:58:44 +0000 pf: be less strict about icmp state checking for sloppy state tracking Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja . Thanks! OK mcbride, henning Approved by: so Security: FreeBSD-EN-24:16.pf MFC after: 1 week Obtained from: OpenBSD, mikeb , 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) (cherry picked from commit b822e3fab468ffbe941d0758d960e1aa46069a38) --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 49bfefa2b6ed..5a7a6563d355 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6175,6 +6175,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) ||