improve the icmp direction check to deal correctly with af-to states

(there only one state and it's direction is always PF_IN) and don't
exclude icmp echo replies from the test.

ok mcbride, claudio on previous version, ok henning, "looks good" deraadt

1 files changed, 10 insertions, 4 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 167e555e417..992b9fd070f 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.790 2011/12/12 21:30:27 mikeb Exp $ */
+/*	$OpenBSD: pf.c,v 1.791 2011/12/19 23:32:36 mikeb Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -4555,6 +4555,8 @@ pf_icmp_state_lookup(struct pf_pdesc *pd, struct pf_state_key_cmp *key,
     struct pf_state **state, u_int16_t icmpid, u_int16_t type,
     int icmp_dir, int *iidx, int multi, int inner)
 {
+	int direction;
+
 	key->af = pd->af;
 	key->proto = pd->proto;
 	key->rdomain = pd->rdomain;
@@ -4590,9 +4592,13 @@ pf_icmp_state_lookup(struct pf_pdesc *pd, struct pf_state_key_cmp *key,
 	STATE_LOOKUP(pd->kif, key, pd->dir, *state, pd->m);
 
 	/* Is this ICMP message flowing in right direction? */
-	if ((*state)->rule.ptr->type &&
-	    (((!inner && (*state)->direction == pd->dir) ||
-	    (inner && (*state)->direction != pd->dir)) ?
+	if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af)
+		direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ?
+		    PF_IN : PF_OUT;
+	else
+		direction = (*state)->direction;
+	if ((((!inner && direction == pd->dir) ||
+	    (inner && direction != pd->dir)) ?
 	    PF_IN : PF_OUT) != icmp_dir) {
 		if (pf_status.debug >= LOG_NOTICE) {
 			log(LOG_NOTICE,