diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2012-08-30 11:43:37 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2012-08-30 11:43:37 +0000 |
| commit | af10d003b44c83a945cc92d4b3a0ed3382389486 (patch) | |
| tree | e98cfc1cb0a5cba368539af4ce7e498dfe062d2d /sys/net | |
| parent | f024c8018dc6a2dedb86893b5ca24791db20bc53 (diff) | |
Sloppy state tracking renders ICMP direction check useless
and harmful as we might see only half of the connection in
the asymmetric setups but ignore the state match. The bug
was reported and fix was verified by Insan Praja <insan ()
ims-solusi ! com>. Thanks! OK mcbride, henning
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 783f8897034..16330ca7cf6 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.809 2012/07/26 12:25:31 mikeb Exp $ */ +/* $OpenBSD: pf.c,v 1.810 2012/08/30 11:43:36 mikeb Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -4695,6 +4695,9 @@ pf_icmp_state_lookup(struct pf_pdesc *pd, struct pf_state_key_cmp *key, STATE_LOOKUP(pd->kif, key, pd->dir, *state, pd->m); + if ((*state)->state_flags & PFSTATE_SLOPPY) + return (-1); + /* Is this ICMP message flowing in right direction? */ if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af) direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ? |