Re: pf nat-to doesn't match a crafted packet

Alexandr Nedvedicky Sun, 03 Sep 2023 03:59:01 -0700

Hello,

I'm sorry the diff against current does not compile. it's missing
a closing parren.


sorry about that.
regards
sashan

On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote:
</snip>
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sys/net/pf.c b/sys/net/pf.c
> index 4f0fc3f91a9..0993aed85fb 100644
> --- a/sys/net/pf.c
> +++ b/sys/net/pf.c
> @@ -4148,6 +4148,9 @@ enter_ruleset:
>                           (r->rule_flag & PFRULE_STATESLOPPY) == 0 &&
>                           ctx->icmp_dir != PF_IN),
>                               TAILQ_NEXT(r, entries));
> +                     /* icmp packet must match existing state */
> +                     PF_TEST_ATTRIB(r->keep_state && ctx->state_icmp,
> +                             TAILQ_NEXT(r, entries);
>                       break;
>  
>               case IPPROTO_ICMPV6:
> 

--------8<---------------8<---------------8<------------------8<--------
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -4148,6 +4148,9 @@ enter_ruleset:
                            (r->rule_flag & PFRULE_STATESLOPPY) == 0 &&
                            ctx->icmp_dir != PF_IN),
                                TAILQ_NEXT(r, entries));
+                       /* icmp packet must match existing state */
+                       PF_TEST_ATTRIB(r->keep_state && ctx->state_icmp,
+                               TAILQ_NEXT(r, entries));
                        break;
 
                case IPPROTO_ICMPV6:

Re: pf nat-to doesn't match a crafted packet

Reply via email to