From nobody Thu Sep 19 13:04:04 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8bLs0yZYz5WYch; Thu, 19 Sep 2024 13:04:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8bLr6mNkz4srG; Thu, 19 Sep 2024 13:04:04 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726751045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kDNpwgeRgahfzVunSI+q7JcNUkVgAzHyW8Kwdqi5ljU=; b=awg73G8DYl6+4OmbgXy37JddovVEz0P9q80s3IdaCYEXH34xB/j1oVwfI39JRlrFmwW5s/ U2P57bWw0uNU9ABi0o/zXJNok3axkAc9uh5tKrUVuKyuEGnghNa4oe8O0jrWctNtMcHL4+ bFs9xxnB5AuiD/3+ZfoBymThXRdUnqBDTminBUvdRphzCbPhkOSOMq8dkr22V2b1dpzgRK b0Z6UIqE6eOcaGyCvpA9YdSTS7pVEbC1p2/R/A8xRbAVgBZyMf4paAaQfL3DISGFpaqfzY Z+xrDVxBe2rGrUYoygqYG0fOGQkcsiNc6mya3kF3vCaz9KNDyEFKSXMSXTz1yA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726751045; a=rsa-sha256; cv=none; b=vKBV1umNBs+5TWnB0J3OU9b52IJGoFn0tXgQhpBvP47fdqHY9LdtAMvEl67AjdLPYqKgjv ieufOnLcLZXBPBfGQw4+N272lxv4mMid+adhdLmmtDT+yjKgJyZVcH61hRFqUcHOWQ3Gaa GWA9qqZxavRtWIbAa4BuCQsXDv7I8H0b9N+jKImXB5+gVYHew9eEm0j23+7Hbd4OCgXpKG r+gAuncwbwzRDSOux/rzuHysd+B1iyDDtvZWtY0nQxJ7VuzBwrFl+PBgdsDGGe9iyG9B++ +JF0y12DiMyPQiVvnW/v4MRIk3lZMBc+CfwnzxJLQtZCF2fDlGiWpv2Z1Bof+w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726751045; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=kDNpwgeRgahfzVunSI+q7JcNUkVgAzHyW8Kwdqi5ljU=; b=CWhmH9m1wcIjCTAXCwAistpibpuPmD2KlP2/Z1k6voA+LAtl2/AidxkTSnPkjmuWpnryQJ v9EZMFS/+OCkHQfZ1zedggfZdat6/3kMpejjC1To0dwb7AQoTXbNczrZQVnMuBkcEf8OKp afKznGmMxCq5vrMqMhpI5vb4Rp2pbynE4rtI0mxpd/q9jETMukyw6OUZe5Wmg/+aw8Aybi F85XOg7Eq/ysaOtumbfIrYUjV1rovvdkGYjSQCdaMvOoeZZ3pJEehDHPuS9WkZAhGHvoc+ BrKHi/OltejzSi9knoO/DvlidqwZkVpOAascQL+F6qR21Av82pwP0ObWzyMUGQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X8bLr6NFgz168W; Thu, 19 Sep 2024 13:04:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48JD440L001087; Thu, 19 Sep 2024 13:04:04 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48JD44kb001084; Thu, 19 Sep 2024 13:04:04 GMT (envelope-from git) Date: Thu, 19 Sep 2024 13:04:04 GMT Message-Id: <202409191304.48JD44kb001084@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: aca9955aec8f - releng/13.3 - pf: be less strict about icmp state checking for sloppy state tracking List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.3 X-Git-Reftype: branch X-Git-Commit: aca9955aec8f339c003d977e113594d99be153f8 Auto-Submitted: auto-generated The branch releng/13.3 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=aca9955aec8f339c003d977e113594d99be153f8 commit aca9955aec8f339c003d977e113594d99be153f8 Author: Kristof Provost AuthorDate: 2024-08-26 14:44:20 +0000 Commit: Mark Johnston CommitDate: 2024-09-19 13:01:36 +0000 pf: be less strict about icmp state checking for sloppy state tracking Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja . Thanks! OK mcbride, henning Approved by: so Security: FreeBSD-EN-24:16.pf MFC after: 1 week Obtained from: OpenBSD, mikeb , 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) (cherry picked from commit b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b) --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ecad3c274d74..100302ab2ca5 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6075,6 +6075,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, direction, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) ||