Download raw body.
af-nat of ICMP error messages leaves IP header ttl 0
Hello,
On Tue, Nov 05, 2024 at 04:14:24PM +0100, Alexander Bluhm wrote:
> On Sun, Aug 25, 2024 at 02:07:21PM +0200, Alexandr Nedvedicky wrote:
</sbip>
> > the function pf_change_icmp_af() receives to pf_pdesc arguments
> > pd and pd2. The ttl for packet header is grabbed from pd2.
> > the ttl member in pd2 is zero. Oneliner below fixes that.
> > I believe it fixes af-nat of ICMP error handling for TCP
> > and UDP icmp error payloads too.
> >
> > OK to commit?
>
> pd->ttl is the outer ttl. You need the inner ttl in pd2.
> Try this
>
> case AF_INET:
> ...
> pd2->ttl = h2.ip_ttl;
> case AF_INET6:
> ...
> pd2->ttl = h2_6.ip6_hlim;
>
> bluhm
yes, you arr right. updated diff is below.
thanks for spotting that.
regards
sashan
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 29aee94f42f..cf4cbba48bd 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -5753,6 +5753,7 @@ pf_test_state_icmp(struct pf_pdesc *pd, struct pf_state **stp,
return (PF_DROP);
pd2.tot_len = ntohs(h2.ip_len);
+ pd2.ttl = h2.ip_ttl;
pd2.src = (struct pf_addr *)&h2.ip_src;
pd2.dst = (struct pf_addr *)&h2.ip_dst;
break;
@@ -5773,6 +5774,7 @@ pf_test_state_icmp(struct pf_pdesc *pd, struct pf_state **stp,
pd2.tot_len = ntohs(h2_6.ip6_plen) +
sizeof(struct ip6_hdr);
+ pd2.ttl = h2_6.ip6_hlim;
pd2.src = (struct pf_addr *)&h2_6.ip6_src;
pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
break;
af-nat of ICMP error messages leaves IP header ttl 0