HomeFreeBSD
Diffusion FreeBSD src repository f51f7cb8997f

pf: fix icmp-in-icmp state lookup
f51f7cb8997f
Actions

Description

pf: fix icmp-in-icmp state lookup

In 534ee17e6 pf state checking for ICMP(v6) was made stricter. This change
failed to correctly set the pf_pdesc for ICMP-in-ICMP lookups, resulting in ICMP
error packets potentially being dropped incorrectly.
Specially, it copied the ICMP header into a separate variable, not into the
pf_pdesc.

Populate the required pf_pdesc fields for the embedded ICMP packet's state lookup.

Approved by: so
Security: FreeBSD-EN-24:16.pf
PR: 280701
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 2da98eef1f352c496ffd458b4c68ddee972bb903)
(cherry picked from commit 0d8d4cc3ea47f1ee61d749b22b135eb73c7d33cd)

Details

Provenance
kpAuthored on Aug 12 2024, 2:07 PM
markjCommitted on Thu, Sep 19, 1:00 PM
Parents
rG811a30c55a20: Add UPDATING entries and bump revision
Branches
Unknown
Tags
Unknown

Changes (1)

PathSize
sys/
netpfil/
pf/

rGf51f7cb8997f

View Options

sys/netpfil/pf/pf.c

Loading...