HomeFreeBSD

pf: stricter state checking for ICMP and ICMPv6 packets

Description

pf: stricter state checking for ICMP and ICMPv6 packets

Include
the ICMP type in one port of the state key, using the type to determine which
side should be the id, and which should be the type.

Also:

  • Handle ICMP6 messages which are typically sent to multicast addresses but recieve unicast replies, by doing fallthrough lookups against the correct multicast address.
  • Clear up some mistaken assumptions in the PF code:
      • Not all ICMP packets have an icmp_id, so simulate one based on other data if we can, otherwise set it to 0.
    • Don't modify the icmp id field in NAT unless it's echo
    • Use the full range of possible id's when NATing icmp6 echoy

ok henning marco
testing matthieu todd

Approved by: so
Security: FreeBSD-SA-24:05.pf
Security: CVE-2024-6640
MFC after: 1 day
Obtained From: OpenBSD, mcbride <mcbride@openbsd.org> 70bf7555ef4c
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 534ee17e61ee094ec175703bc50e88ff6587703e)

Details

Provenance
kpAuthored on Jul 9 2024, 1:59 PM
markjCommitted on Aug 7 2024, 1:37 PM
Parents
rG3d5cb2b9a97c: nfscl: Scan readdir reply filenames for invalid characters
Branches
Unknown
Tags
Unknown