From nobody Wed Sep 04 08:53:33 2024 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WzGVj5SHSz5TSK4; Wed, 04 Sep 2024 08:53:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4WzGVj4C1rz4Xv9; Wed, 4 Sep 2024 08:53:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725440013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8ISdwFuPqTHEOQztJImAu3/bEWH8n1L7HpQna64z6cI=; b=Fo/OuibdB6fP5e+kcQpwMtd3dOs6uGJRcPs/4472JC6UWEoSr3p8wouS5QKy7E0nqTaiuD z21vLB6TMkZ78QTJiDn44GGSErL5uqVN1p3CkVYV0q9ot4L2BSSm/ZS5SuQ7nKVX1C6qsX /GOuyK+ejCozYq9d/HGGNRP7iFK6LeDQN213RJnLbSXeEue1/H1FyX4qyXCir0n3ewb5fj 5XIAeDxa81CF4brp5SGdphxC4D0cQpSvCt8o/beuiUtxMF8ze6s96UokZzRPyQfmDfOqt4 kZSv1AlbWxCKzPxmJ4M4i349sAEgvBt+PwQcO85LkG0su28ICtA2yAT3GpSbMA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725440013; a=rsa-sha256; cv=none; b=G453zffIlJEbEa24cLQs3IIbg/g/DYUzs3L8tMsN4S3IUGLAuGR5xUzU3MAXHpUEqjCg43 zpeHaGeF8WPNE9yMruagAPnCV/Ee0iI1XpndAczDUpT4+gnasET7qvdutD9lSRpRBbIsz8 6uCStvb6Hvok7/ISsDnjaJ7zjCFEIZQvFww4FG730Bum5wWVv3US9PMHt02DAYcAP31AV9 54ldmlQP1RC04sdv7YhCIZecf+xFZrHb1o5r6zJ6UoPM3urXu2hsinU8Tz3uRVwk2RA0kf uRtfdqN2OZX855eV7/hy6QsT9vh//oY8sB1HfQASHKe3EAx0k894D1Q+oHNOKA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725440013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8ISdwFuPqTHEOQztJImAu3/bEWH8n1L7HpQna64z6cI=; b=ECItWJH+HgTffJEIBMpUmraahjrk0TQxhQvaLx2TKXwakmOv3QacdO/+Ysa0pSCHmMCLUB 1TqGnfU5YF7hsW2+JEGmhCxvIiNHpTh2qxwoGzXNSot8W7cTr9RksZxLbNZy+0OncU73E2 3AgBARIqOuy5/PxzJKVplbmcYCa8WhF3J4OjTaBiECgtXVQ6YF7HRXOT+Xr/kDeWuzG0Nv zrPztpyZg5ORaOhMTGRuLK3WUqsa9gXwxrth8V5C+OXiiZFnpWn03FlytxSB7frQbf6B8/ jWzVvyw8QNH6K0VgJSD181yo4dKQkZH6Yl4J81gzRvK3hJCgIcy5l6MLeGg8fA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4WzGVj3qcCzHrg; Wed, 4 Sep 2024 08:53:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4848rXN8005827; Wed, 4 Sep 2024 08:53:33 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4848rXgT005824; Wed, 4 Sep 2024 08:53:33 GMT (envelope-from git) Date: Wed, 4 Sep 2024 08:53:33 GMT Message-Id: <202409040853.4848rXgT005824@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: b4b8b2fc9bd2 - stable/13 - pf: be less strict about icmp state checking for sloppy state tracking List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b Auto-Submitted: auto-generated The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b commit b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b Author: Kristof Provost AuthorDate: 2024-08-26 14:44:20 +0000 Commit: Kristof Provost CommitDate: 2024-09-04 08:53:06 +0000 pf: be less strict about icmp state checking for sloppy state tracking Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja . Thanks! OK mcbride, henning MFC after: 1 week Obtained from: OpenBSD, mikeb , 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index ef6a2bd7de40..db7d8659baec 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6098,6 +6098,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, direction, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) ||