HomeFreeBSD
Diffusion FreeBSD src repository d1c4f6decb10

pf: fix icmp-in-icmp state lookup
d1c4f6decb10
Actions

Description

pf: fix icmp-in-icmp state lookup

In 534ee17e6 pf state checking for ICMP(v6) was made stricter. This change
failed to correctly set the pf_pdesc for ICMP-in-ICMP lookups, resulting in ICMP
error packets potentially being dropped incorrectly.
Specially, it copied the ICMP header into a separate variable, not into the
pf_pdesc.

Populate the required pf_pdesc fields for the embedded ICMP packet's state lookup.

Approved by: so
Security: FreeBSD-EN-24:16.pf
PR: 280701
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 2da98eef1f352c496ffd458b4c68ddee972bb903)
(cherry picked from commit 27a1a56b0d2e6ffa6ab1de69ef84fe66b7fd41e0)

Details

Provenance
kpAuthored on Aug 12 2024, 2:07 PM
markjCommitted on Thu, Sep 19, 12:57 PM
Parents
rGf96bae43f0c1: Add UPDATING entries and bump revision
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
sys/
netpfil/
pf/

rGd1c4f6decb10

View Options

sys/netpfil/pf/pf.c

Loading...