From nobody Tue Jan 14 10:37:50 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YXQZ71j98z5kVtc; Tue, 14 Jan 2025 10:37:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YXQZ64Sjyz3Bw1; Tue, 14 Jan 2025 10:37:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736851070; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tm5CbgHTqZK4WaA6OiD4p/M1UH8djHIvkTZz9OlLgM0=; b=sQpHQwjD4fOU0gL+Y/FwLrSHPwAvFDutVBfNW4QFZw9nb5x1WdQ/7tPF+kqVm3cEVFDllp way68YP0/rXVWlq6wZKD+A7K9l1GMFFBeXLl0rT/7ydtP9oe66AQbB6faTAjnNfpyms3Nd 53/CndJNvRRTuBt46GsuNWQEIY50BFz3QYIMhh+vzVHXhUxkhY/dzNTXZtBco+AC2HLVbv P03KDv4Svia87Ap+2AHnD4m9NFFpwrXeWl5ba3HBhPD6iThv9IfnWp7+7IOOLRHqS3UfCa OFfnYx0TP6LfWzrRYrxBmg3klu0MBHaicggB4h1eKKMTvPuOmXwTqcUXCr5a+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1736851070; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tm5CbgHTqZK4WaA6OiD4p/M1UH8djHIvkTZz9OlLgM0=; b=vbT7G6/xq5D/6YMaQVLFM3aXSFMl7DUMz4wdgJMTmrDu22//ZIWNH6d6vdqWuxDB74PVfJ pvDpMqjO+VqK8zTAEmIn1C56wHNJfmpJnwqb8rAgoYI8VH4sW7GudeS4aMaZPCRG5nybP1 ZCzqtdep8+aGg7WMVlRdi5b7bzfzRYhQpQ3mQdv5AKSrLQofptrXoOV1XQbd9hS9LPRA90 Si52DtsGm6BouCvSQPNzRKGZ6RglyQH56GC7fst5nZt801v8LtYM0PpU2STsaVglFxLbFy z1xLcAGiY5L3ogrWeU5n9RMZMzU89wK2Y7suhUX9OMTL9i7Pw0hI92MfuxfAKQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1736851070; a=rsa-sha256; cv=none; b=iqe1NAlIcJdu/OaDY3z1oumCdgHH+D9wkveT/Z58LEZ+9pNwr2M6wy5yh5wFskn9tWie2L 0Sj73jHxKclfFqMtgKpOFe09kgG9MpEKU6857YcMqBkQxkvFjGoLJ0D+cNpERLKIV+8U+u XpsdcZyKZkSzhm3oJ/dEZDsrjtDwHQlj317+xpeJoe0kiQxPVu7P0GQp6kkb2UtKuT8dXI idBd/D+EQQZX3eu2nl8UnMByfvubALmwJ71AP96a+bqsre/fZa3d/IESMtiKxkjgKVh1Ow IKtdciONVmR8Kto4SHv3CMI2GAThFMiWcBpJZ9lOVGw5b4GDUjeP0VxSG3kvnw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YXQZ63wNFz1C3T; Tue, 14 Jan 2025 10:37:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50EAbox1047946; Tue, 14 Jan 2025 10:37:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50EAboQl047943; Tue, 14 Jan 2025 10:37:50 GMT (envelope-from git) Date: Tue, 14 Jan 2025 10:37:50 GMT Message-Id: <202501141037.50EAboQl047943@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 37101926c920 - main - pf improve the icmp direction check List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 37101926c920e9fd9b7d89b1ed480103305be4c4 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=37101926c920e9fd9b7d89b1ed480103305be4c4 commit 37101926c920e9fd9b7d89b1ed480103305be4c4 Author: Kristof Provost AuthorDate: 2025-01-07 14:17:51 +0000 Commit: Kristof Provost CommitDate: 2025-01-14 08:54:18 +0000 pf improve the icmp direction check Deal correctly with af-to states (there only one state and it's direction is always PF_IN). ok mcbride, claudio on previous version, ok henning, "looks good" deraadt We deviate from the OpenBSD change in that we don't include the "don't exclude icmp echo replies from the test." part of the commit. This is a user-visible behaviour change, and is likely to break existing configurations. For example, it breaks the netpfil/common/dummynet:pf_queue tests. Obtained from: OpenBSD, mikeb , b96cc44e9e Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/pf.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index dd337c0aef93..bee5690e02c4 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7679,9 +7679,14 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, return (-1); /* Is this ICMP message flowing in right direction? */ + if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af) + direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ? + PF_IN : PF_OUT; + else + direction = (*state)->direction; if ((*state)->rule->type && - (((!inner && (*state)->direction == direction) || - (inner && (*state)->direction != direction)) ? + (((!inner && direction == pd->dir) || + (inner && direction != pd->dir)) ? PF_IN : PF_OUT) != icmp_dir) { if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("pf: icmp type %d in wrong direction (%d): ",