The branch stable/14 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=0f15030a6eb6e4e0d7f22bffa27eb9be9ab233f8
commit 0f15030a6eb6e4e0d7f22bffa27eb9be9ab233f8
Author: Damir Bikmuhametov <b...@ufanet.ru>
AuthorDate: 2025-06-26 17:26:14 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-12 07:50:18 +0000
pf: fix ICMP ECHO handling of ID conflicts
After applying FreeBSD-SA-24:05.pf, a problem with ICMP ECHO passing
through PF NAT was raised: two or more Windows workstations cannot ping
the same destination address at the same time. More precisely, only one
workstation pings normally, while the pings of the others are rejected
by the packet filter.
The thing is that Windows always uses the same ICMP ID (1). Therefore,
the state is created only for the workstation that started pinging
earlier.
In the pf_get_sport() function, we compare *nport with the ICMP_ECHO
constant,
while icmptype (virtual_type actually) is passed in the pd->ndport
parameter.
MFC after: 2 weeks
Reviewed by: kp
(cherry picked from commit e7abf8829d8d496a8753946f67fb2016851b4f7c)
---
sys/netpfil/pf/pf_lb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 2623a22db86b..a9cbc71cb5f4 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -233,7 +233,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct
pf_krule *r,
return (1);
if (proto == IPPROTO_ICMP) {
- if (*nport == htons(ICMP_ECHO)) {
+ if (dport == htons(ICMP_ECHO)) {
low = 1;
high = 65535;
} else
@@ -241,7 +241,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct
pf_krule *r,
}
#ifdef INET6
if (proto == IPPROTO_ICMPV6) {
- if (*nport == htons(ICMP6_ECHO_REQUEST)) {
+ if (dport == htons(ICMP6_ECHO_REQUEST)) {
low = 1;
high = 65535;
} else
