aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2025-01-07 14:17:51 +0000
committerKristof Provost <kp@FreeBSD.org>2025-01-14 08:54:18 +0000
commit37101926c920e9fd9b7d89b1ed480103305be4c4 (patch)
tree80ad7465f01c2f7ddc2994a8f036713473649a61
parent0d68985b0170f704ee45dfb6c209cc852870d2c2 (diff)
pf improve the icmp direction check
Deal correctly with af-to states (there only one state and it's direction is always PF_IN). ok mcbride, claudio on previous version, ok henning, "looks good" deraadt We deviate from the OpenBSD change in that we don't include the "don't exclude icmp echo replies from the test." part of the commit. This is a user-visible behaviour change, and is likely to break existing configurations. For example, it breaks the netpfil/common/dummynet:pf_queue tests. Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, b96cc44e9e Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r--sys/netpfil/pf/pf.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index dd337c0aef93..bee5690e02c4 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7679,9 +7679,14 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
return (-1);
/* Is this ICMP message flowing in right direction? */
+ if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af)
+ direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ?
+ PF_IN : PF_OUT;
+ else
+ direction = (*state)->direction;
if ((*state)->rule->type &&
- (((!inner && (*state)->direction == direction) ||
- (inner && (*state)->direction != direction)) ?
+ (((!inner && direction == pd->dir) ||
+ (inner && direction != pd->dir)) ?
PF_IN : PF_OUT) != icmp_dir) {
if (V_pf_status.debug >= PF_DEBUG_MISC) {
printf("pf: icmp type %d in wrong direction (%d): ",