Sloppy state tracking renders ICMP direction check useless

and harmful as we might see only half of the connection in the asymmetric setups but ignore the state match. The bug was reported and fix was verified by Insan Praja <insan () ims-solusi ! com>. Thanks! OK mcbride, henning
author: mikeb <mikeb@openbsd.org> 2012-08-30 11:43:36 +0000
committer: mikeb <mikeb@openbsd.org> 2012-08-30 11:43:36 +0000
commit: 538596657140c9166e7df97fd176152d317155dc (patch)
tree: 614de5346969d0bc04d3117aa16bb68c1dd24965
parent: make a variable that can take a value of -1 signed to match what the (diff)
download: wireguard-openbsd-538596657140c9166e7df97fd176152d317155dc.tar.xz
wireguard-openbsd-538596657140c9166e7df97fd176152d317155dc.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 783f8897034..16330ca7cf6 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.809 2012/07/26 12:25:31 mikeb Exp $ */
+/*	$OpenBSD: pf.c,v 1.810 2012/08/30 11:43:36 mikeb Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -4695,6 +4695,9 @@ pf_icmp_state_lookup(struct pf_pdesc *pd, struct pf_state_key_cmp *key,
 
 	STATE_LOOKUP(pd->kif, key, pd->dir, *state, pd->m);
 
+	if ((*state)->state_flags & PFSTATE_SLOPPY)
+		return (-1);
+
 	/* Is this ICMP message flowing in right direction? */
 	if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af)
 		direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ?
author	mikeb <mikeb@openbsd.org>	2012-08-30 11:43:36 +0000
committer	mikeb <mikeb@openbsd.org>	2012-08-30 11:43:36 +0000
commit	538596657140c9166e7df97fd176152d317155dc (patch)
tree	614de5346969d0bc04d3117aa16bb68c1dd24965
parent	make a variable that can take a value of -1 signed to match what the (diff)
download	wireguard-openbsd-538596657140c9166e7df97fd176152d317155dc.tar.xz wireguard-openbsd-538596657140c9166e7df97fd176152d317155dc.zip