Diffusion FreeBSD src repository 534ee17e61ee

pf: stricter state checking for ICMP and ICMPv6 packets
534ee17e61ee
Actions

Tags

None

Referenced Files

None

Subscribers

None

Description

pf: stricter state checking for ICMP and ICMPv6 packets

Include
the ICMP type in one port of the state key, using the type to determine which
side should be the id, and which should be the type.

Also:

Handle ICMP6 messages which are typically sent to multicast addresses but recieve unicast replies, by doing fallthrough lookups against the correct multicast address.
Clear up some mistaken assumptions in the PF code:
- - Not all ICMP packets have an icmp_id, so simulate one based on other data if we can, otherwise set it to 0.
- Don't modify the icmp id field in NAT unless it's echo
- Use the full range of possible id's when NATing icmp6 echoy

ok henning marco
testing matthieu todd

MFC after: 1 day
Obtained From: OpenBSD, mcbride <mcbride@openbsd.org> 70bf7555ef4c
Sponsored by: Rubicon Communications, LLC ("Netgate")

Details

Provenance

kp	Authored on Jul 9 2024, 1:59 PM

Parents

rG375aaa299f85: pfctl: improve error reporting

Branches

Unknown

Tags

Unknown

Event Timeline

kp committed rG534ee17e61ee: pf: stricter state checking for ICMP and ICMPv6 packets (authored by kp).Jul 29 2024, 5:42 PM

kp mentioned this in rG2f6b4611b5b8: pf: stricter state checking for ICMP and ICMPv6 packets.Jul 31 2024, 7:41 AM

kp mentioned this in rGf8fbac6b4ff7: pf: stricter state checking for ICMP and ICMPv6 packets.

markj mentioned this in rG370e196bae46: pf: stricter state checking for ICMP and ICMPv6 packets.Aug 7 2024, 1:44 PM

markj mentioned this in rGe576536cbae1: pf: stricter state checking for ICMP and ICMPv6 packets.

markj mentioned this in rGaac676988d91: pf: stricter state checking for ICMP and ICMPv6 packets.Aug 7 2024, 1:50 PM

kp mentioned this in rG2da98eef1f35: pf: fix icmp-in-icmp state lookup.Aug 13 2024, 11:27 AM

kp mentioned this in rG27a1a56b0d2e: pf: fix icmp-in-icmp state lookup.Aug 20 2024, 3:17 PM

kp mentioned this in rG0d8d4cc3ea47: pf: fix icmp-in-icmp state lookup.

kp mentioned this in rG7d3a0370c8a3: pf: fix icmp-in-icmp state lookup.Aug 21 2024, 7:45 AM

markj mentioned this in rGfb925cf0a4b3: pf: fix icmp-in-icmp state lookup.Thu, Sep 19, 1:03 PM

markj mentioned this in rGd1c4f6decb10: pf: fix icmp-in-icmp state lookup.

markj mentioned this in rGf51f7cb8997f: pf: fix icmp-in-icmp state lookup.

Changes (2)

Path

Size

sys/

netpfil/

pf/

rG534ee17e61ee

sys/netpfil/pf/pf.c

Loading...

sys/netpfil/pf/pf_lb.c

Loading...