Re: pf: fix icmp direction check

Mon, 19 Dec 2011 15:14:01 -0800 

i've decided to rewrite the description to faciliate the review
process.

currently icmp6->icmp translation fails because of the incorrect
"icmp direction" check in pf_icmp_state_lookup.  first of all it
checks all icmp packets except for the "echo reply".  the reasons
for this are unknown.  it works pretty well in my tests.

incidentally, when af-to is used there's only one state for both
input and output and it's direction is always PF_IN. therefore,
it's pointless to check it.  instead we should derive direction
from the difference of address families in PF_SK_WIRE and
PF_SK_STACK state keys.

i've beaten this diff for quite some time and have tried
different kinds of icmp combinations including "inner" ones:
icmp as a payload of another icmp (e.g. destination unreachable
for an icmp echo request) and it works just fine.

i'd like to commit it soon and got only a tentative ok from
henning.

Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.787
diff -u -p -r1.787 pf.c
--- pf.c        26 Nov 2011 03:28:46 -0000      1.787
+++ pf.c        28 Nov 2011 00:08:09 -0000
@@ -4557,6 +4557,8 @@ pf_icmp_state_lookup(struct pf_pdesc *pd
     struct pf_state **state, u_int16_t icmpid, u_int16_t type,
     int icmp_dir, int *iidx, int multi, int inner)
 {
+       int direction;
+
        key->af = pd->af;
        key->proto = pd->proto;
        key->rdomain = pd->rdomain;
@@ -4592,9 +4594,13 @@ pf_icmp_state_lookup(struct pf_pdesc *pd
        STATE_LOOKUP(pd->kif, key, pd->dir, *state, pd->m);
 
        /* Is this ICMP message flowing in right direction? */
-       if ((*state)->rule.ptr->type &&
-           (((!inner && (*state)->direction == pd->dir) ||
-           (inner && (*state)->direction != pd->dir)) ?
+       if ((*state)->key[PF_SK_WIRE]->af != (*state)->key[PF_SK_STACK]->af)
+               direction = (pd->af == (*state)->key[PF_SK_WIRE]->af) ?
+                   PF_IN : PF_OUT;
+       else
+               direction = (*state)->direction;
+       if ((((!inner && direction == pd->dir) ||
+           (inner && direction != pd->dir)) ?
            PF_IN : PF_OUT) != icmp_dir) {
                if (pf_status.debug >= LOG_NOTICE) {
                        log(LOG_NOTICE,

Reply via email to