HomeFreeBSD

pf: be less strict about icmp state checking for sloppy state tracking

Description

pf: be less strict about icmp state checking for sloppy state tracking

Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning

Approved by: so
Security: FreeBSD-EN-24:16.pf
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 538596657140
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 3da3eb6081a2e2f6ea2fed1728d5dd7f9e8786e5)
(cherry picked from commit b4b8b2fc9bd25d10eab0afdbd06a7ef8735b7b6b)

Details

Provenance
kpAuthored on Aug 26 2024, 2:44 PM
markjCommitted on Sep 19 2024, 1:01 PM
Parents
rGfceeab39e9b1: pf: try to lookup the icmp state based on a correct packet descriptor
Branches
Unknown
Tags
Unknown