The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=37101926c920e9fd9b7d89b1ed480103305be4c4
commit 37101926c920e9fd9b7d89b1ed480103305be4c4
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-01-07 14:17:51 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-01-14 08:54:18 +0000
pf improve the icmp direction check
Deal correctly with af-to states (there only one state and it's direction is
always PF_IN).
ok mcbride, claudio on previous version, ok henning, "looks good" deraadt
We deviate from the OpenBSD change in that we don't include the "don't
exclude
icmp echo replies from the test." part of the commit. This is a user-visible
behaviour change, and is likely to break existing configurations. For
example,
it breaks the netpfil/common/dummynet:pf_queue tests.
Obtained from: OpenBSD, mikeb <mi...@openbsd.org>, b96cc44e9e
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index dd337c0aef93..bee5690e02c4 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7679,9 +7679,14 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key,
struct pf_pdesc *pd,
return (-1);
/* Is this ICMP message flowing in right direction? */
+ if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af)
+ direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ?
+ PF_IN : PF_OUT;
+ else
+ direction = (*state)->direction;
if ((*state)->rule->type &&
- (((!inner && (*state)->direction == direction) ||
- (inner && (*state)->direction != direction)) ?
+ (((!inner && direction == pd->dir) ||
+ (inner && direction != pd->dir)) ?
PF_IN : PF_OUT) != icmp_dir) {
if (V_pf_status.debug >= PF_DEBUG_MISC) {
printf("pf: icmp type %d in wrong direction (%d): ",
