git: 204fae3f7378 - main - pfctl: robustness improvement on address family

Thu, 03 Jul 2025 05:02:18 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=204fae3f73780b927aae2e272661c25c2db3f96e

commit 204fae3f73780b927aae2e272661c25c2db3f96e
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-06-30 08:36:53 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-03 07:16:15 +0000

    pfctl: robustness improvement on address family
    
    The kernel does not set the address family for the socket addresses
    that are used for netmask, broadcast, and destination address.  In
    pfctl(8) take the family of the interface address and write it to
    the other addresses.  This fixes some bugs when copy_satopfaddr()
    copied only part of IPv6 addresses.  Print a warning if the address
    family is unknown.
    OK kn@
    
    Obtained from:  OpenBSD, bluhm <bl...@openbsd.org>, 1fef2296ff
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl_parser.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index dfcf1a7b62a0..1db98c6103d4 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -234,8 +234,10 @@ copy_satopfaddr(struct pf_addr *pfa, struct sockaddr *sa)
 {
        if (sa->sa_family == AF_INET6)
                pfa->v6 = ((struct sockaddr_in6 *)sa)->sin6_addr;
-       else
+       else if (sa->sa_family == AF_INET)
                pfa->v4 = ((struct sockaddr_in *)sa)->sin_addr;
+       else
+               warnx("unhandled af %d", sa->sa_family);
 }
 
 const struct icmptypeent *
@@ -1515,11 +1517,16 @@ ifa_load(void)
                        ifa_add_groups_to_map(ifa->ifa_name);
                } else {
                        copy_satopfaddr(&n->addr.v.a.addr, ifa->ifa_addr);
+                       ifa->ifa_netmask->sa_family = ifa->ifa_addr->sa_family;
                        copy_satopfaddr(&n->addr.v.a.mask, ifa->ifa_netmask);
-                       if (ifa->ifa_broadaddr != NULL)
+                       if (ifa->ifa_broadaddr != NULL) {
+                               ifa->ifa_broadaddr->sa_family = 
ifa->ifa_addr->sa_family;
                                copy_satopfaddr(&n->bcast, ifa->ifa_broadaddr);
-                       if (ifa->ifa_dstaddr != NULL)
+                       }
+                       if (ifa->ifa_dstaddr != NULL) {
+                               ifa->ifa_dstaddr->sa_family = 
ifa->ifa_addr->sa_family;
                                copy_satopfaddr(&n->peer, ifa->ifa_dstaddr);
+                       }
                        if (n->af == AF_INET6)
                                n->ifindex = ((struct sockaddr_in6 *)
                                    ifa->ifa_addr) ->sin6_scope_id;

Reply via email to