The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=25dbba4fc6e152a05e091180b2e031ab495ba337
commit 25dbba4fc6e152a05e091180b2e031ab495ba337
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-02-10 15:33:18 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-02-13 12:38:44 +0000
pf: improve UDP-in-ICMP handling
Translate port numbers for inner udp packets when they're returned
as a payload of icmp error messages. Makes traceroute6 operate
across a nat64 gateway.
prompted by sthen, ok henning
Previous udp port number rewrite fix turned out to be a work around
the incorrect pf_change_ap call. While here make the tcp case use
pf_change_ap since it shares the same properties. ok henning
Obtained from: OpenBSD, mikeb <mi...@openbsd.org>, 7a304f30d6
Obtained from: OpenBSD, mikeb <mi...@openbsd.org>, 5d4200d304
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 65eb5736d43d..1b0eb6d6dd80 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7972,8 +7972,12 @@ pf_test_state_icmp(struct pf_kstate **state, struct
pf_pdesc *pd,
pd->proto = IPPROTO_ICMP;
else
pd->proto = IPPROTO_ICMPV6;
- th.th_sport = nk->port[sidx];
- th.th_dport = nk->port[didx];
+ pf_change_ap(pd->m, pd2.src,
&th.th_sport,
+ pd->ip_sum, &th.th_sum,
&nk->addr[pd2.sidx],
+ nk->port[sidx], 1, pd->af, nk->af);
+ pf_change_ap(pd->m, pd2.dst,
&th.th_dport,
+ pd->ip_sum, &th.th_sum,
&nk->addr[pd2.didx],
+ nk->port[didx], 1, pd->af, nk->af);
m_copyback(pd2.m, pd2.off, 8,
(c_caddr_t)&th);
PF_ACPY(pd->src,
&nk->addr[pd2.sidx], nk->af);
