diff options
author | Kristof Provost <kp@FreeBSD.org> | 2025-01-07 14:17:51 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2025-01-14 08:54:18 +0000 |
commit | 37101926c920e9fd9b7d89b1ed480103305be4c4 (patch) | |
tree | 80ad7465f01c2f7ddc2994a8f036713473649a61 | |
parent | 0d68985b0170f704ee45dfb6c209cc852870d2c2 (diff) |
pf improve the icmp direction check
Deal correctly with af-to states (there only one state and it's direction is
always PF_IN).
ok mcbride, claudio on previous version, ok henning, "looks good" deraadt
We deviate from the OpenBSD change in that we don't include the "don't exclude
icmp echo replies from the test." part of the commit. This is a user-visible
behaviour change, and is likely to break existing configurations. For example,
it breaks the netpfil/common/dummynet:pf_queue tests.
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, b96cc44e9e
Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r-- | sys/netpfil/pf/pf.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index dd337c0aef93..bee5690e02c4 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7679,9 +7679,14 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, return (-1); /* Is this ICMP message flowing in right direction? */ + if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af) + direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ? + PF_IN : PF_OUT; + else + direction = (*state)->direction; if ((*state)->rule->type && - (((!inner && (*state)->direction == direction) || - (inner && (*state)->direction != direction)) ? + (((!inner && direction == pd->dir) || + (inner && direction != pd->dir)) ? PF_IN : PF_OUT) != icmp_dir) { if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("pf: icmp type %d in wrong direction (%d): ", |