mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-11-28 08:02:54 +00:00
Code Issues Releases Activity

pf: be less strict about icmp state checking for sloppy state tracking

Browse Source 
Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match.  The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>.  Thanks!  OK mcbride, henning

MFC after:	1 week
Obtained from:	OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
Sponsored by:	Rubicon Communications, LLC ("Netgate")
This commit is contained in:
Kristof Provost 2024-08-26 16:44:20 +02:00
parent b8cd169efa
commit 3da3eb6081
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sys/netpfil/pf/pf.c
View File

@ -6740,6 +6740,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
STATE_LOOKUP(kif, key, *state, pd);
if ((*state)->state_flags & PFSTATE_SLOPPY)
return (-1);
/* Is this ICMP message flowing in right direction? */
if ((*state)->rule.ptr->type &&
(((!inner && (*state)->direction == direction) ||