From nobody Wed Apr 23 11:56:56 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZjHdj2rj6z5tGy3;
	Wed, 23 Apr 2025 11:56:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZjHdj0vmHz3yn7;
	Wed, 23 Apr 2025 11:56:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1745409417;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5Lq3F0vQIcJxoZd/T3qr4c5CsJyTq8ivCiiIgfBRpKQ=;
	b=KojW+tk5vlvKMqX7tTY99pNoCwnjLH0eqYqWoGwnlmNma9yiOMI55Utnvl8hz3SwiQo4qP
	fFjr9sQOMUcca1zoktGBwjooiVyF8l3zDgAan2mQEUluipWq1ZgaEp6qnUfnW+wFVuZXll
	i/fWtTVBUa0rhSIubjcB6mLTmfq+mu+HxzTREGJh/aSBsCrAyqlK6uRXQNSJluk2a/c3Ia
	fjj6j2ZVggXBTHWhLIU4P1sohSCb4E85DrCgihuwnfYD4fDmSUeaBbdLWyzQ3b9INRY4/P
	Bi3nrwY4/a65a8HcL4PNJpgTbxQ3ldtE5YrKpiJcDZS6VTMcQBCZoL5dATCErA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1745409417; a=rsa-sha256; cv=none;
	b=p9YJ5VkP5GBM3yI5RbWWoV4h2BoHpu1bbOtl2mNYvK29Rhu5N2DxKAihetVG3GphHtJvHg
	pkpacZYABzrOOamg0VJm3F4baxWsDaa2snYGnQ3/1BzLVOpRTZqdjv/g3y0KGMgdqaHjdy
	6qiELLYRiOEfwamsxeXz+av+EVdl7+ljlxASK3prI3MDKEQn3UYM4IE3fLFoqSDwlCsnZH
	ngJFpzDnB7wsp/38G9dIUt6KucM0pDd4YbJFeXOcPMf8IGf9EFP+0uog8p+RCljMgqtja7
	nlLUBGtiNiJYfL0BoszlFzXRC4ybTzLBZBP7+C3ll76oq6pJ0MBULTcEElGjMg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1745409417;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5Lq3F0vQIcJxoZd/T3qr4c5CsJyTq8ivCiiIgfBRpKQ=;
	b=RmH8a7AcvqPqmkE04ob4oX7bLUZ6NxM2jYHo37cbL4gz80er8D7w0rbws4ktbMdp6WC/vu
	jSiXWbg8dP/hbWjXtuHwlmlL2EyikK/YW0w3vfAxNylmCNHBUIz9dKr3OLCXrqcDF0E9we
	sJ12p6LkAzPaLmbrS9/mhcpnfn00eNg6wY1XRZqXo3x/1mRjg976++cCU1xaQ7m6Ny+PUa
	n6HKy2G6uEPH7lS8BXNRMx+alkjaDcywgfj2fLLi0avaYynrLbfy0Jt9P8Y70meHdygfvZ
	fkKn7W9h4tmqF4d7VWVd+Dw1cCAOqbNcsxibCtPYY32zaSsqDQqx0qeEZec7Rg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZjHdj0Cqhz137H;
	Wed, 23 Apr 2025 11:56:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 53NBuuDb075768;
	Wed, 23 Apr 2025 11:56:56 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 53NBuuZp075765;
	Wed, 23 Apr 2025 11:56:56 GMT
	(envelope-from git)
Date: Wed, 23 Apr 2025 11:56:56 GMT
Message-Id: <202504231156.53NBuuZp075765@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: fa6330030b93 - main - pf: move pf_change_icmp_af()
  call for TCP/UDP in ICMP
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: fa6330030b935c6a8505890fb019a963fa6f0036
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=fa6330030b935c6a8505890fb019a963fa6f0036

commit fa6330030b935c6a8505890fb019a963fa6f0036
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-04-22 14:34:40 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-04-23 08:15:09 +0000

    pf: move pf_change_icmp_af() call for TCP/UDP in ICMP
    
    The checksum of a ICMP "need to frag" packet for TCP was wrong when
    created from a ICMP6 "too big" packet.  The function pf_change_icmp_af()
    has code to adjust the pseudo-header checksum in the ICMP6 case,
    but pf_test_state_icmp() changed the proto before the case was
    entered.
    So call pf_change_icmp_af() before the pd->proto is converted in
    the TCP and UDP payload case like it was already done for ICMP and
    ICMP6 payload.
    Found by sys/net/pf_forward regress test; OK henning@
    
    Note that we fully recalculate ICMP checksums in pf_translate_af(), so this does
    not result in any functional changes on FreeBSD. It is imported to reduce the
    diff with OpenBSD.
    
    Obtained from:  OpenBSD, bluhm <bluhm@openbsd.org>, 50188ace62
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index a154e0c7b446..06ced7b055b3 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -7987,6 +7987,11 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
 					m_copyback(pd->m, pd->off,
 					    sizeof(struct icmp6_hdr),
 					    (c_caddr_t)&pd->hdr.icmp6);
+					if (pf_change_icmp_af(pd->m, ipoff2, pd,
+					    &pd2, &nk->addr[sidx],
+					    &nk->addr[didx], pd->af,
+					    nk->af))
+						return (PF_DROP);
 					PF_ACPY(&pd->nsaddr, &nk->addr[pd2.sidx],
 					    nk->af);
 					PF_ACPY(&pd->ndaddr,
@@ -8006,11 +8011,6 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
 						    pd->src->addr32[0];
 					}
 					pd->naf = pd2.naf = nk->af;
-					if (pf_change_icmp_af(pd->m, ipoff2, pd,
-					    &pd2, &nk->addr[sidx],
-					    &nk->addr[didx], pd->af,
-					    nk->af))
-						return (PF_DROP);
 					pf_change_ap(&pd2, pd2.src, &th->th_sport,
 					    &nk->addr[pd2.sidx], nk->port[sidx]);
 					pf_change_ap(&pd2, pd2.dst, &th->th_dport,
@@ -8119,6 +8119,11 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
 					m_copyback(pd->m, pd->off,
 					    sizeof(struct icmp6_hdr),
 					    (c_caddr_t)&pd->hdr.icmp6);
+					if (pf_change_icmp_af(pd->m, ipoff2, pd,
+					    &pd2, &nk->addr[sidx],
+					    &nk->addr[didx], pd->af,
+					    nk->af))
+						return (PF_DROP);
 					PF_ACPY(&pd->nsaddr,
 					    &nk->addr[pd2.sidx], nk->af);
 					PF_ACPY(&pd->ndaddr,
@@ -8138,11 +8143,6 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
 						    pd->src->addr32[0];
 					}
 					pd->naf = pd2.naf = nk->af;
-					if (pf_change_icmp_af(pd->m, ipoff2, pd,
-					    &pd2, &nk->addr[sidx],
-					    &nk->addr[didx], pd->af,
-					    nk->af))
-						return (PF_DROP);
 					pf_change_ap(&pd2, pd2.src, &uh->uh_sport,
 					    &nk->addr[pd2.sidx], nk->port[sidx]);
 					pf_change_ap(&pd2, pd2.dst, &uh->uh_dport,