HomeFreeBSD
Diffusion FreeBSD src repository aac676988d91

pf: stricter state checking for ICMP and ICMPv6 packets
aac676988d91
Actions

Description

pf: stricter state checking for ICMP and ICMPv6 packets

Include
the ICMP type in one port of the state key, using the type to determine which
side should be the id, and which should be the type.

Also:

  • Handle ICMP6 messages which are typically sent to multicast addresses but recieve unicast replies, by doing fallthrough lookups against the correct multicast address.
  • Clear up some mistaken assumptions in the PF code:
      • Not all ICMP packets have an icmp_id, so simulate one based on other data if we can, otherwise set it to 0.
    • Don't modify the icmp id field in NAT unless it's echo
    • Use the full range of possible id's when NATing icmp6 echoy

ok henning marco
testing matthieu todd

Approved by: so
Security: FreeBSD-SA-24:05.pf
Security: CVE-2024-6640
MFC after: 1 day
Obtained From: OpenBSD, mcbride <mcbride@openbsd.org> 70bf7555ef4c
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 534ee17e61ee094ec175703bc50e88ff6587703e)
(cherry picked from commit 2f6b4611b5b847aee1ff8d5017a0f8a657f4101d)

Details

Provenance
kpAuthored on Jul 9 2024, 1:59 PM
markjCommitted on Aug 7 2024, 1:31 PM
Parents
rG01792dd7f27b: ifconfig: Fix default netmask calculation
Branches
Unknown
Tags
Unknown

Changes (2)

PathSize
sys/
netpfil/
pf/

rGaac676988d91

View Options

sys/netpfil/pf/pf.c

Loading...
View Options

sys/netpfil/pf/pf_lb.c

Loading...