HomeFreeBSD
Diffusion FreeBSD src repository fdc0afd4391e

pf: improve the ICMPv6 direction check
fdc0afd4391e
Actions

Description

pf: improve the ICMPv6 direction check

Following bluhm's advice this changes the way we setup state keys and
perform state lookups for ICMPv6 Neighbor Discovery packets:

  • replace the NS-dst with ND target address;
  • replace the NA-src with ND target address;
  • replace the NA-dst with unspecified address if it is a multicast.

This allows pf to match Address Resolution, Neighbor Unreachability
Detection and Duplicate Address Detection packets to the corresponding
states without the need to create new ones or match unrelated ones.
As a side effect we're doing now one state table lookup for ND packets
instead of two.

Fixes a bug uncovered by one of the previous commits that virtually
breaks IPv6 connectivity after few minutes of use.

ok stsp henning, with and ok bluhm

Approved by: so
Security: FreeBSD-EN-24:16.pf
PR: 280701
MFC after: 1 week
Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, 2633ae8c4c8a
Sponsored by: Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 5ab1e5f7e5585558a73b723f07528977a82cee82)
(cherry picked from commit 0121a4baaca09049d130d830aa9179e3cb9c9e88)

Details

Provenance
kpAuthored on Mon, Aug 26, 12:59 PM
markjCommitted on Thu, Sep 19, 12:55 PM
Parents
rG84b57a4c5b84: pf: invert direction for inner icmp state lookups
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
sys/
net/
netpfil/
pf/

rGfdc0afd4391e

View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

sys/netpfil/pf/pf_lb.c

Loading...