The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b822e3fab468ffbe941d0758d960e1aa46069a38
commit b822e3fab468ffbe941d0758d960e1aa46069a38 Author: Kristof Provost <[email protected]> AuthorDate: 2024-08-26 14:44:20 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2024-09-04 08:38:15 +0000 pf: be less strict about icmp state checking for sloppy state tracking Sloppy state tracking renders ICMP direction check useless and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja <insan () ims-solusi ! com>. Thanks! OK mcbride, henning MFC after: 1 week Obtained from: OpenBSD, mikeb <[email protected]>, 538596657140 Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5) --- sys/netpfil/pf/pf.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 5d492394eb87..e94856b011bf 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6690,6 +6690,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd, STATE_LOOKUP(kif, key, *state, pd); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->rule.ptr->type && (((!inner && (*state)->direction == direction) ||
