git: b6865bca4ba5 - releng/14.4 - pf: include all elements when hashing rules

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Philip Paeps <philip_at_FreeBSD.org>
Date: Thu, 26 Mar 2026 01:15:00 UTC
The branch releng/14.4 has been updated by philip:

URL: https://cgit.FreeBSD.org/src/commit/?id=b6865bca4ba546155740a5047ff79a6515b5805b

commit b6865bca4ba546155740a5047ff79a6515b5805b
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2026-03-19 07:21:51 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2026-03-25 16:11:07 +0000

    pf: include all elements when hashing rules
    
    Approved by:    so
    Security:       FreeBSD-SA:26:09.pf
    Security:       CVE-2026-4748
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit c6bcf6e6fd507d952a48226b51cc161b8ef972a2)
    (cherry picked from commit e3b801edded92c1ccef67f9aef8653e996493460)
---
 sys/netpfil/pf/pf_ioctl.c | 91 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 83 insertions(+), 8 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 1fff0667aa1a..5617207d28f9 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1269,6 +1269,12 @@ pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
 			PF_MD5_UPD(pfr, addr.v.a.addr.addr32);
 			PF_MD5_UPD(pfr, addr.v.a.mask.addr32);
 			break;
+		case PF_ADDR_NOROUTE:
+		case PF_ADDR_URPFFAILED:
+			/* These do not use any address data. */
+			break;
+		default:
+			panic("Unknown address type %d", pfr->addr.type);
 	}
 
 	PF_MD5_UPD(pfr, port[0]);
@@ -1277,6 +1283,28 @@ pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
 	PF_MD5_UPD(pfr, port_op);
 }
 
+static void
+pf_hash_pool(MD5_CTX *ctx, struct pf_kpool *pool)
+{
+	uint16_t x;
+	int y;
+
+	if (pool->cur) {
+		PF_MD5_UPD(pool, cur->addr);
+		PF_MD5_UPD_STR(pool, cur->ifname);
+	}
+	PF_MD5_UPD(pool, key);
+	PF_MD5_UPD(pool, counter);
+
+	PF_MD5_UPD(pool, mape.offset);
+	PF_MD5_UPD(pool, mape.psidlen);
+	PF_MD5_UPD_HTONS(pool, mape.psid, x);
+	PF_MD5_UPD_HTONL(pool, tblidx, y);
+	PF_MD5_UPD_HTONS(pool, proxy_port[0], x);
+	PF_MD5_UPD_HTONS(pool, proxy_port[1], x);
+	PF_MD5_UPD(pool, opts);
+}
+
 static void
 pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule)
 {
@@ -1287,37 +1315,84 @@ pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule)
 	pf_hash_rule_addr(ctx, &rule->dst);
 	for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
 		PF_MD5_UPD_STR(rule, label[i]);
+	PF_MD5_UPD_HTONL(rule, ridentifier, y);
 	PF_MD5_UPD_STR(rule, ifname);
+	PF_MD5_UPD_STR(rule, qname);
+	PF_MD5_UPD_STR(rule, pqname);
+	PF_MD5_UPD_STR(rule, tagname);
 	PF_MD5_UPD_STR(rule, match_tagname);
-	PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
+
+	PF_MD5_UPD_STR(rule, overload_tblname);
+
+	pf_hash_pool(ctx, &rule->rpool);
+
 	PF_MD5_UPD_HTONL(rule, os_fingerprint, y);
+
+	PF_MD5_UPD_HTONL(rule, rtableid, y);
+	for (int i = 0; i < PFTM_MAX; i++)
+		PF_MD5_UPD_HTONL(rule, timeout[i], y);
+	PF_MD5_UPD_HTONL(rule, max_states, y);
+	PF_MD5_UPD_HTONL(rule, max_src_nodes, y);
+	PF_MD5_UPD_HTONL(rule, max_src_states, y);
+	PF_MD5_UPD_HTONL(rule, max_src_conn, y);
+	PF_MD5_UPD_HTONL(rule, max_src_conn_rate.limit, y);
+	PF_MD5_UPD_HTONL(rule, max_src_conn_rate.seconds, y);
+	PF_MD5_UPD_HTONS(rule, qid, x);
+	PF_MD5_UPD_HTONS(rule, pqid, x);
+	PF_MD5_UPD_HTONS(rule, dnpipe, x);
+	PF_MD5_UPD_HTONS(rule, dnrpipe, x);
+	PF_MD5_UPD_HTONL(rule, free_flags, y);
 	PF_MD5_UPD_HTONL(rule, prob, y);
+
+	PF_MD5_UPD_HTONS(rule, return_icmp, x);
+	PF_MD5_UPD_HTONS(rule, return_icmp6, x);
+	PF_MD5_UPD_HTONS(rule, max_mss, x);
+	PF_MD5_UPD_HTONS(rule, tag, x); /* dup? */
+	PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */
+	PF_MD5_UPD_HTONS(rule, scrub_flags, x);
+
+	PF_MD5_UPD(rule, uid.op);
 	PF_MD5_UPD_HTONL(rule, uid.uid[0], y);
 	PF_MD5_UPD_HTONL(rule, uid.uid[1], y);
-	PF_MD5_UPD(rule, uid.op);
+	PF_MD5_UPD(rule, gid.op);
 	PF_MD5_UPD_HTONL(rule, gid.gid[0], y);
 	PF_MD5_UPD_HTONL(rule, gid.gid[1], y);
-	PF_MD5_UPD(rule, gid.op);
+
 	PF_MD5_UPD_HTONL(rule, rule_flag, y);
+	PF_MD5_UPD_HTONL(rule, rule_ref, y);
 	PF_MD5_UPD(rule, action);
 	PF_MD5_UPD(rule, direction);
-	PF_MD5_UPD(rule, af);
+	PF_MD5_UPD(rule, log);
+	PF_MD5_UPD(rule, logif);
 	PF_MD5_UPD(rule, quick);
 	PF_MD5_UPD(rule, ifnot);
 	PF_MD5_UPD(rule, match_tag_not);
 	PF_MD5_UPD(rule, natpass);
+
 	PF_MD5_UPD(rule, keep_state);
+	PF_MD5_UPD(rule, af);
 	PF_MD5_UPD(rule, proto);
-	PF_MD5_UPD(rule, type);
-	PF_MD5_UPD(rule, code);
+	PF_MD5_UPD_HTONS(rule, type, x);
+	PF_MD5_UPD_HTONS(rule, code, x);
 	PF_MD5_UPD(rule, flags);
 	PF_MD5_UPD(rule, flagset);
+	PF_MD5_UPD(rule, min_ttl);
 	PF_MD5_UPD(rule, allow_opts);
 	PF_MD5_UPD(rule, rt);
+	PF_MD5_UPD(rule, return_ttl);
 	PF_MD5_UPD(rule, tos);
-	PF_MD5_UPD(rule, scrub_flags);
-	PF_MD5_UPD(rule, min_ttl);
 	PF_MD5_UPD(rule, set_tos);
+	PF_MD5_UPD(rule, anchor_relative);
+	PF_MD5_UPD(rule, anchor_wildcard);
+
+	PF_MD5_UPD(rule, flush);
+	PF_MD5_UPD(rule, prio);
+	PF_MD5_UPD(rule, set_prio[0]);
+	PF_MD5_UPD(rule, set_prio[1]);
+
+	PF_MD5_UPD(rule, divert.addr);
+	PF_MD5_UPD_HTONS(rule, divert.port, x);
+
 	if (rule->anchor != NULL)
 		PF_MD5_UPD_STR(rule, anchor->path);
 }