From nobody Sat Jul 12 15:37:05 2025 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bfXkn6MlJz621L9; Sat, 12 Jul 2025 15:37:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bfXkn5c6jz49M0; Sat, 12 Jul 2025 15:37:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752334625; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JO8aVWbmUCBVJF4hGqZPnefqK75yXXIBtRDsslPN/iI=; b=lmwPGrdWLA3B3cW7EG36szzvtA1i1W9/KEXlH8gWxxuKa1YhQVPYWjjhr6FA2Buuywi7/l BbTe8RfhaZXVgPEmsDXvvjonpnmce9vNtZt9h6fKe5YSEXrcNwY0mS+3qtV3VrKg/43QOF +NSlWC9npVHcJJYseuyhIWCU/OuGMEnF0iy8qJieCA27Yg5C1v6E5qP16A6Aiagy5TEexJ M7IgLtwxSLFpVSlyd26m39nCSGMOaaPf3q0l+KP+gUDlFQl26gPzqT23dkrHYFR7qRAzCQ U0qOYz5uIA2CWIcKnuGlX6xVEowAgAOv4Dd9hd3EbIRpmzWGcbNeSwvUyw0qfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1752334625; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JO8aVWbmUCBVJF4hGqZPnefqK75yXXIBtRDsslPN/iI=; b=YHxFBF/Zbui6Bd90SYhhIDffRxbks92Il6a3ZMuSpSEgo8bTd54J0+sBWx4+MNcizoc/I6 vlKHGFz1gtJ/jmNUJOCt+kOG4D7tZPeDlyY779goT6DqCcjblj/xDM5JJJAzSpWy2buPXt wUDxRhzf1AMkQdkiPGLsr/1yPErKMjWvUHxfwGPk02byE2UcUkE221nGsM44dDQhH1nOY7 iwXwGCZQzaI1DnT6b6TwWmu7Yx56+F5E550qPpzEIOG1tLVA2PWP8eta+SJr2JsxVUTQjh qVlXH2EmF9vGMr3TelCuypEdBg7ZbVpN4USaHHnYOuWmgHxFb5NiBbURqBMsCQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752334625; a=rsa-sha256; cv=none; b=mzTQ3UYVD0SNaveOhW0zXbUxHBAh+KR/2Wv9KpgGgK+zmQzNdO6Fx2x7Y/V3m7QlxB5G29 ea0dXIpYVcMrU5rmj5OK6qPilNzZ5U5O6jTX1SDjAvmhclIYAwSWwRCjJFb1tyPYcs3OUr vdUuZxg6ksu77gnPh0IlhLIYPefXLZJPRA5JT5uUXNIJbHp3eywSPoXJDxtAgF4mVOvsUe FeB9WwTUsncfIkff2wk+NXa9nCybBKyP9eSCU7CtNcavmb19hZ5fsKzhDG3askGEpHjIfD J/8duZph/YBi92Kfb/7K/lBGp8NG+uK8TgdPq3I6kAxqrN6gtF4IqAw9KviFGg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bfXkn5BbbzD9G; Sat, 12 Jul 2025 15:37:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56CFb5BZ015290; Sat, 12 Jul 2025 15:37:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56CFb5Kh015287; Sat, 12 Jul 2025 15:37:05 GMT (envelope-from git) Date: Sat, 12 Jul 2025 15:37:05 GMT Message-Id: <202507121537.56CFb5Kh015287@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kristof Provost Subject: git: 57c652dfa1c0 - stable/13 - pf: fix ICMP ECHO handling of ID conflicts List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 57c652dfa1c08a361e29b7edb7fe05b63ffae235 Auto-Submitted: auto-generated The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=57c652dfa1c08a361e29b7edb7fe05b63ffae235 commit 57c652dfa1c08a361e29b7edb7fe05b63ffae235 Author: Damir Bikmuhametov AuthorDate: 2025-06-26 17:26:14 +0000 Commit: Kristof Provost CommitDate: 2025-07-12 07:50:55 +0000 pf: fix ICMP ECHO handling of ID conflicts After applying FreeBSD-SA-24:05.pf, a problem with ICMP ECHO passing through PF NAT was raised: two or more Windows workstations cannot ping the same destination address at the same time. More precisely, only one workstation pings normally, while the pings of the others are rejected by the packet filter. The thing is that Windows always uses the same ICMP ID (1). Therefore, the state is created only for the workstation that started pinging earlier. In the pf_get_sport() function, we compare *nport with the ICMP_ECHO constant, while icmptype (virtual_type actually) is passed in the pd->ndport parameter. MFC after: 2 weeks Reviewed by: kp (cherry picked from commit e7abf8829d8d496a8753946f67fb2016851b4f7c) --- sys/netpfil/pf/pf_lb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 2571a0c5312e..001f26c13d48 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -223,7 +223,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_krule *r, return (1); if (proto == IPPROTO_ICMP) { - if (*nport == htons(ICMP_ECHO)) { + if (dport == htons(ICMP_ECHO)) { low = 1; high = 65535; } else @@ -231,7 +231,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct pf_krule *r, } #ifdef INET6 if (proto == IPPROTO_ICMPV6) { - if (*nport == htons(ICMP6_ECHO_REQUEST)) { + if (dport == htons(ICMP6_ECHO_REQUEST)) { low = 1; high = 65535; } else