diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2024-08-26 14:44:20 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2024-09-01 15:05:29 +0000 |
| commit | 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5 (patch) | |
| tree | 12d4ad621af1ba776e9ab35eb97f637271a4d033 | |
| parent | b8cd169efa6ac0899b4998898129765ae5c685a6 (diff) | |
pf: be less strict about icmp state checking for sloppy state tracking
Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sys/netpfil/pf/pf.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 94c333e67c57..e28bad8750f9 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6740,6 +6740,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) || |