[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 05 Sep 2024 07:36:17 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701
--- Comment #79 from commit-hook@FreeBSD.org ---
A commit in branch releng/13.4 references this bug:
URL:
https://cgit.FreeBSD.org/src/commit/?id=d3ee2188686dce00083ba382c1a773d4e293b242
commit d3ee2188686dce00083ba382c1a773d4e293b242
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-08-26 12:59:38 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-09-05 07:34:26 +0000
pf: improve the ICMPv6 direction check
Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:
- replace the NS-dst with ND target address;
- replace the NA-src with ND target address;
- replace the NA-dst with unspecified address if it is a multicast.
This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.
Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.
ok stsp henning, with and ok bluhm
PR: 280701
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 2633ae8c4c8a
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 5ab1e5f7e5585558a73b723f07528977a82cee82)
(cherry picked from commit b84344206721ed2803d5da68585289d5880efe3f)
Approved-by: re (cperciva)
sys/net/pfvar.h | 2 +-
sys/netpfil/pf/pf.c | 116 ++++++++++++++++++++++++++++++++++---------------
sys/netpfil/pf/pf_lb.c | 2 +-
3 files changed, 84 insertions(+), 36 deletions(-)
--
You are receiving this mail because:
You are the assignee for the bug.