Skip to content

Commit 49f3904

Browse files
author
phessler
committed
Relax the "pass all" rule so all forms of neighbor advertisements are allowed
in either direction. This more closely matches the IPv4 ARP behaviour. From sashan@ discussed with kn@ deraadt@
1 parent a4301a1 commit 49f3904

File tree

1 file changed

+30
-2
lines changed

1 file changed

+30
-2
lines changed

sys/net/pf.c

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: pf.c,v 1.1173 2023/03/23 01:41:12 jsg Exp $ */
1+
/* $OpenBSD: pf.c,v 1.1174 2023/04/28 14:08:34 phessler Exp $ */
22

33
/*
44
* Copyright (c) 2001 Daniel Hartmeier
@@ -2608,6 +2608,18 @@ pf_icmp_mapping(struct pf_pdesc *pd, u_int8_t type, int *icmp_dir,
26082608
nd->nd_ns_target.s6_addr32[2] ^
26092609
nd->nd_ns_target.s6_addr32[3];
26102610
*virtual_id = (h >> 16) ^ (h & 0xffff);
2611+
/*
2612+
* the extra work here deals with 'keep state' option
2613+
* at pass rule for unsolicited advertisement. By
2614+
* returning 1 (state_icmp = 1) we override 'keep
2615+
* state' to 'no state' so we don't create state for
2616+
* unsolicited advertisements. No one expects answer to
2617+
* unsolicited advertisements so we should be good.
2618+
*/
2619+
if (type == ND_NEIGHBOR_ADVERT) {
2620+
*virtual_type = htons(*virtual_type);
2621+
return (1);
2622+
}
26112623
break;
26122624
}
26132625

@@ -4061,7 +4073,6 @@ pf_match_rule(struct pf_test_ctx *ctx, struct pf_ruleset *ruleset)
40614073
break;
40624074

40634075
case IPPROTO_ICMP:
4064-
case IPPROTO_ICMPV6:
40654076
/* icmp only. type always 0 in other cases */
40664077
PF_TEST_ATTRIB((r->type &&
40674078
r->type != ctx->icmptype + 1),
@@ -4077,6 +4088,23 @@ pf_match_rule(struct pf_test_ctx *ctx, struct pf_ruleset *ruleset)
40774088
TAILQ_NEXT(r, entries));
40784089
break;
40794090

4091+
case IPPROTO_ICMPV6:
4092+
/* icmp only. type always 0 in other cases */
4093+
PF_TEST_ATTRIB((r->type &&
4094+
r->type != ctx->icmptype + 1),
4095+
TAILQ_NEXT(r, entries));
4096+
/* icmp only. type always 0 in other cases */
4097+
PF_TEST_ATTRIB((r->code &&
4098+
r->code != ctx->icmpcode + 1),
4099+
TAILQ_NEXT(r, entries));
4100+
/* icmp only. don't create states on replies */
4101+
PF_TEST_ATTRIB((r->keep_state && !ctx->state_icmp &&
4102+
(r->rule_flag & PFRULE_STATESLOPPY) == 0 &&
4103+
ctx->icmp_dir != PF_IN &&
4104+
ctx->icmptype != ND_NEIGHBOR_ADVERT),
4105+
TAILQ_NEXT(r, entries));
4106+
break;
4107+
40804108
default:
40814109
break;
40824110
}

0 commit comments

Comments
 (0)