The branch stable/13 has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=57c652dfa1c08a361e29b7edb7fe05b63ffae235
commit 57c652dfa1c08a361e29b7edb7fe05b63ffae235
Author: Damir Bikmuhametov <b...@ufanet.ru>
AuthorDate: 2025-06-26 17:26:14 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-12 07:50:55 +0000
pf: fix ICMP ECHO handling of ID conflicts
After applying FreeBSD-SA-24:05.pf, a problem with ICMP ECHO passing
through PF NAT was raised: two or more Windows workstations cannot ping
the same destination address at the same time. More precisely, only one
workstation pings normally, while the pings of the others are rejected
by the packet filter.
The thing is that Windows always uses the same ICMP ID (1). Therefore,
the state is created only for the workstation that started pinging
earlier.
In the pf_get_sport() function, we compare *nport with the ICMP_ECHO
constant,
while icmptype (virtual_type actually) is passed in the pd->ndport
parameter.
MFC after: 2 weeks
Reviewed by: kp
(cherry picked from commit e7abf8829d8d496a8753946f67fb2016851b4f7c)
---
sys/netpfil/pf/pf_lb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 2571a0c5312e..001f26c13d48 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -223,7 +223,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct
pf_krule *r,
return (1);
if (proto == IPPROTO_ICMP) {
- if (*nport == htons(ICMP_ECHO)) {
+ if (dport == htons(ICMP_ECHO)) {
low = 1;
high = 65535;
} else
@@ -231,7 +231,7 @@ pf_get_sport(sa_family_t af, u_int8_t proto, struct
pf_krule *r,
}
#ifdef INET6
if (proto == IPPROTO_ICMPV6) {
- if (*nport == htons(ICMP6_ECHO_REQUEST)) {
+ if (dport == htons(ICMP6_ECHO_REQUEST)) {
low = 1;
high = 65535;
} else
