git: aa790af10a9a - main - pf(4) when doing af-to translation for ICMP protocol sends packets with TTL field to zero. To fix it function pf_test_state_icmp() must initialize ttl field in pf_pdesc structure for inner packet.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 02 Sep 2025 21:10:55 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=aa790af10a9a2ce36ca0b2bc445a01431b8bc0c4
commit aa790af10a9a2ce36ca0b2bc445a01431b8bc0c4
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-08-25 08:01:49 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-09-02 21:10:20 +0000
pf(4) when doing af-to translation for ICMP protocol sends packets
with TTL field to zero. To fix it function pf_test_state_icmp()
must initialize ttl field in pf_pdesc structure for inner packet.
feedback from bluhm@
OK bluhm@
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 0d48c46cfe
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index e9b73827aa7d..d15a16c54f81 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8048,6 +8048,7 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
return (PF_DROP);
pd2.tot_len = ntohs(h2.ip_len);
+ pd2.ttl = h2.ip_ttl;
pd2.src = (struct pf_addr *)&h2.ip_src;
pd2.dst = (struct pf_addr *)&h2.ip_dst;
pd2.ip_sum = &h2.ip_sum;
@@ -8070,6 +8071,7 @@ pf_test_state_icmp(struct pf_kstate **state, struct pf_pdesc *pd,
pd2.tot_len = ntohs(h2_6.ip6_plen) +
sizeof(struct ip6_hdr);
+ pd2.ttl = h2_6.ip6_hlim;
pd2.src = (struct pf_addr *)&h2_6.ip6_src;
pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
pd2.ip_sum = NULL;