From nobody Sat Jul 12 15:36:18 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bfXjv1M7Rz620t6; Sat, 12 Jul 2025 15:36:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bfXjv0dr5z48lv; Sat, 12 Jul 2025 15:36:19 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752334579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ok1wNH4cPnCXWzXP+b/Xdxu6c4ayKFaKThvkF7pqJmc=; b=WwTCKQ9rPeOWuzU8TkgpdbVk2R4HomqMZREJ/MlD/r4Y3+YfFNuY/CIv+PY7w15/55orVg fjcwXobAM63RU+J7+GEsQ8a545APh0t6njzn6orag3+dJAj2HGZq8zWg+kGEmqyEouTV1J 1qIpvSjpq0sdsTfkx+x6X6Ysp8FWbehtx2J3CoA/nyCs6aL8A+lZYQb6c9rNtW0gnaYAL0 Q/9H/jAcz8s+8k0dqhGHJ0xbEKmv48czStkYAguqZ+GgTF2ODmT9d56V74iIhlkmXDlyvv hHJkrL3Ma48OYScKZu6rnuiccoB42lNh1X7WRlSNDxhknfaXKWZD2PA4d8SWxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752334579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ok1wNH4cPnCXWzXP+b/Xdxu6c4ayKFaKThvkF7pqJmc=; b=yGWWIiwrZ3AofahxYw3GvwcQy1WtHHgIe5As3mEeEDBtop/MjWKQi2Rh29ZthSPpGs/709 2b9n2xfJjMWtTuCOqCyMmiEriVr3LFW5i8HTCsdHTgZV0eRfmL5h9AdajPuZk7q38UU0oh JLBvehFPZmrfnk2OKBwU0k6/WXn3RUlUpTlVadmBMJ8DwXVR3eYZpENHlZXMOoSF77Ake5 zj5GhPC/3v+Ym9ns5UtGVaCkx3WA4Yt4UZcvaD7tMMkyKInWhUDtoOBhAqbN1z27zWbiIv 3m5z5e0JcDmv7CJ0P1pY4rdFwVltfsDhJ0yh+jlbDq6bp9lr1l3Et98leWhOcA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752334579; a=rsa-sha256; cv=none; b=pu2PqK55WNPrLYF8HmDmb7vOwTXNNJAjuWFazOrviIRFrYQ6TfPptLwqxmAiybT/Fna+r4 yqLOjauKXr9lLChivv+v2ruG+JkCwzqreDy7plqKdrO1TLaSlVjR6FKx73ORXWD+KGsAsR TGabaN3ayo1Uk9HGVkwQbkNB/Nckf8OCHMCWkh8qkpjuwYDseL/n4xBH854sk9osQRact8 9bZ+dQm/33Dsxx8uNBquVzulsLd/Ezo3AE2aVpwO1uhN0xaOWJufLCNYrtGAnoNNPcqK+U Ii4b3jwJg7dsGzN5Hv51VYv7wIgL9V4+SxsoE5EN2uOF1Kg0MpQkpxZoQdrAwA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bfXjv070czDHx; Sat, 12 Jul 2025 15:36:19 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56CFaIga014924; Sat, 12 Jul 2025 15:36:18 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56CFaIkq014921; Sat, 12 Jul 2025 15:36:18 GMT (envelope-from git) Date: Sat, 12 Jul 2025 15:36:18 GMT Message-Id: <202507121536.56CFaIkq014921@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 0f15030a6eb6 - stable/14 - pf: fix ICMP ECHO handling of ID conflicts List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 0f15030a6eb6e4e0d7f22bffa27eb9be9ab233f8 Auto-Submitted: auto-generated The branch stable/14 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=0f15030a6eb6e4e0d7f22bffa27eb9be9ab233f8 commit 0f15030a6eb6e4e0d7f22bffa27eb9be9ab233f8 Author: Damir Bikmuhametov AuthorDate: 2025-06-26 17:26:14 +0000 Commit: Kristof Provost CommitDate: 2025-07-12 07:50:18 +0000 pf: fix ICMP ECHO handling of ID conflicts After applying FreeBSD-SA-24:05.pf, a problem with ICMP ECHO passing through PF NAT was raised: two or more Windows workstations cannot ping the same destination address at the same time. More precisely, only one workstation pings normally, while the pings of the others are rejected by the packet filter. The thing is that Windows always uses the same ICMP ID (1). Therefore, the state is created only for the workstation that started pinging earlier. In the pf_get_sport() function, we compare *nport with the ICMP_ECHO constant, while icmptype (virtual_type actually) is passed in the pd->ndport parameter. MFC after: 2 weeks Reviewed by: kp (cherry picked from commit e7abf8829d8d496a8753946f67fb2016851b4f7c) --- sys/netpfil/pf/pf_lb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 2623a22db86b..a9cbc71cb5f4 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -233,7 +233,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_krule *r, return (1); if (proto == IPPROTO_ICMP) { - if (*nport == htons(ICMP_ECHO)) { + if (dport == htons(ICMP_ECHO)) { low = 1; high = 65535; } else @@ -241,7 +241,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_krule *r, } #ifdef INET6 if (proto == IPPROTO_ICMPV6) { - if (*nport == htons(ICMP6_ECHO_REQUEST)) { + if (dport == htons(ICMP6_ECHO_REQUEST)) { low = 1; high = 65535; } else