[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

--- Comment #58 from Franco Fichtner <franco@opnsense.org> ---
I found these inconsistencies in the ported patches from OpenBSD:

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index ef488bad26d..c9180e877d5 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -1878,7 +1878,7 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
                         */
                        *icmp_dir = PF_IN;
                        *virtual_type = MLD_LISTENER_QUERY;
-                       *virtual_id = 0;
+                       *virtual_id = 0; /* XXX missing fake id */
                        break;
                }
                case MLD_MTRACE:
@@ -1892,7 +1892,8 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type,
                        *icmp_dir = PF_IN;
                case ND_NEIGHBOR_ADVERT: {
                        *virtual_type = ND_NEIGHBOR_SOLICIT;
-                       *virtual_id = 0;
+                       *multi = PF_ICMP_MULTI_SOLICITED;
+                       *virtual_id = 0; /* XXX missing fake id */
                        break;
                }

From early testing, however, it's not working any better with plugging back
PF_ICMP_MULTI_SOLICITED only.  I'm unsure about the mock id effect.  But what I
can say is that it's better to skip dealing with PF_ICMP_MULTI_SOLICITED as
OpenBSD did in 2012 too:

https://github.com/openbsd/src/commit/2633ae8c4c8a64

Another patch from 2023 is relevant as well as it disables half the state
tracking for unsolicited advertise cases:

https://github.com/openbsd/src/commit/49f39043a02d6

-- 
You are receiving this mail because:
You are the assignee for the bug.