upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-05-28 04:12:45 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pf: be less strict about icmp state checking for sloppy state tracking

Browse source 
Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match.  The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>.  Thanks!  OK mcbride, henning

MFC after:	1 week
Obtained from:	OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
Sponsored by:	Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5)
This commit is contained in:
Kristof Provost 2024-08-26 16:44:20 +02:00 committed by Franco Fichtner
parent 631d6e5300
commit 781221f084
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
sys/netpfil/pf/pf.c
View file

@ -6658,6 +6658,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
STATE_LOOKUP(kif, key, *state, pd);
if ((*state)->state_flags & PFSTATE_SLOPPY)
return (-1);
/* Is this ICMP message flowing in right direction? */
if ((*state)->rule.ptr->type &&
(((!inner && (*state)->direction == direction) ||