From 781221f084cdf971ec59c73e16a4f7ef36798eaf Mon Sep 17 00:00:00 2001
From: Kristof Provost <kp@FreeBSD.org>
Date: Mon, 26 Aug 2024 16:44:20 +0200
Subject: [PATCH] pf: be less strict about icmp state checking for sloppy state
 tracking

Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match.  The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>.  Thanks!  OK mcbride, henning

MFC after:	1 week
Obtained from:	OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
Sponsored by:	Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5)
---
 sys/netpfil/pf/pf.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index c61fe8aa1eb..bedb3ae1239 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6658,6 +6658,9 @@ pf_icmp_state_lookup(struct pf_state_key_cmp *key, struct pf_pdesc *pd,
 
 	STATE_LOOKUP(kif, key, *state, pd);
 
+	if ((*state)->state_flags & PFSTATE_SLOPPY)
+		return (-1);
+
 	/* Is this ICMP message flowing in right direction? */
 	if ((*state)->rule.ptr->type &&
 	    (((!inner && (*state)->direction == direction) ||