aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKristof Provost <kp@FreeBSD.org>2024-12-06 14:29:11 +0000
committerKristof Provost <kp@FreeBSD.org>2024-12-17 10:07:13 +0000
commitb8e53844388269d87f26b106d538dcf07148bd31 (patch)
tree7f663143ebb664527fa7befe9afd240927191d8a
parentd89a5d853e2bd86490268b55ecdc7e77fefc4ba9 (diff)
pf: drop packets if they fail nat64 translation
If we can't map ICMPv4 onto ICMPv6 or vice versa drop the packet rather than continuing with an untranslated packet. Sponsored by: Rubicon Communications, LLC ("Netgate")
-rw-r--r--sys/netpfil/pf/pf.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 234cbc0854be..4c1111c6106a 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5893,6 +5893,7 @@ nextrule:
nat64 = pd->af != pd->naf;
if (nat64) {
struct pf_state_key *_sk;
+ int ret;
if (sk == NULL)
sk = (*sm)->key[pd->dir == PF_IN ? PF_SK_STACK : PF_SK_WIRE];
@@ -5902,12 +5903,17 @@ nextrule:
_sk = sk;
else
_sk = nk;
- rewrite += pf_translate(pd,
+
+ ret = pf_translate(pd,
&_sk->addr[pd->didx],
_sk->port[pd->didx],
&_sk->addr[pd->sidx],
_sk->port[pd->sidx],
virtual_type, icmp_dir);
+ if (ret < 0)
+ goto cleanup;
+
+ rewrite += ret;
}
} else {
while ((ri = SLIST_FIRST(&match_rules))) {
@@ -6288,7 +6294,7 @@ pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr, u_int16_t sport,
if (afto) {
if (pf_translate_icmp_af(AF_INET6, &pd->hdr.icmp))
- return (0);
+ return (-1);
pd->proto = IPPROTO_ICMPV6;
rewrite = 1;
}