The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=b8e53844388269d87f26b106d538dcf07148bd31
commit b8e53844388269d87f26b106d538dcf07148bd31
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2024-12-06 14:29:11 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2024-12-17 10:07:13 +0000
pf: drop packets if they fail nat64 translation
If we can't map ICMPv4 onto ICMPv6 or vice versa drop the packet rather than
continuing with an untranslated packet.
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 234cbc0854be..4c1111c6106a 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5893,6 +5893,7 @@ nextrule:
nat64 = pd->af != pd->naf;
if (nat64) {
struct pf_state_key *_sk;
+ int ret;
if (sk == NULL)
sk = (*sm)->key[pd->dir == PF_IN ? PF_SK_STACK
: PF_SK_WIRE];
@@ -5902,12 +5903,17 @@ nextrule:
_sk = sk;
else
_sk = nk;
- rewrite += pf_translate(pd,
+
+ ret = pf_translate(pd,
&_sk->addr[pd->didx],
_sk->port[pd->didx],
&_sk->addr[pd->sidx],
_sk->port[pd->sidx],
virtual_type, icmp_dir);
+ if (ret < 0)
+ goto cleanup;
+
+ rewrite += ret;
}
} else {
while ((ri = SLIST_FIRST(&match_rules))) {
@@ -6288,7 +6294,7 @@ pf_translate(struct pf_pdesc *pd, struct pf_addr *saddr,
u_int16_t sport,
if (afto) {
if (pf_translate_icmp_af(AF_INET6, &pd->hdr.icmp))
- return (0);
+ return (-1);
pd->proto = IPPROTO_ICMPV6;
rewrite = 1;
}
