[Git][hardenedbsd/HardenedBSD][hardened/current/cross-dso-cfi] 4 commits: pf: don't reject route-to'd too-large packets

[HardenedBSD Services (@hardenedbsd-services)]

HardenedBSD Services pushed to branch hardened/current/cross-dso-cfi at HardenedBSD / HardenedBSD


Commits:
2e769935 by Kristof Provost at 2025-12-26T10:58:59+01:00
pf: don't reject route-to'd too-large packets

If we're sending a packet via pf_route()/pf_route6() we check for packet
size and potentially generate ICMP(6) packet too big messages. If we do,
don't consider this a rejected packet. That is, return PF_PASS and set
the mbuf to NULL rather than returning PF_DROP.

This matters for locally generated packets, because with PF_DROP we
can end up returning EACCES to userspace, causing the connection to
terminate. Instead, with PF_PASS and a NULL mbuf this is translated to
PFIL_CONSUMED, which does not return an error to userspace.

MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

- - - - -
eaa424e3 by Simon Wollwage at 2025-12-26T11:50:37+01:00
snmp_pf: remove errno usage after pfctl_get_status_h change

pfctl_get_status_h() does not set errno, so don't log it.

PR: 291936
Reviewed by: kp

- - - - -
df2e9ecf by HardenedBSD Sync Services at 2025-12-26T06:01:31-07:00
Merge branch 'freebsd/current/main' into hardened/current/master

- - - - -
c66cb444 by HardenedBSD Sync Services at 2025-12-26T06:01:45-07:00
Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi

- - - - -


2 changed files:

- sys/netpfil/pf/pf.c
- usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c


Changes:

=====================================
sys/netpfil/pf/pf.c
=====================================
@@ -9371,7 +9371,8 @@ pf_route(struct pf_krule *r, struct ifnet *oifp,
ifp->if_mtu, pd->af, r, pd->act.rtableid);
}
SDT_PROBE1(pf, ip, route_to, drop, __LINE__);
- action = PF_DROP;
+ /* Return pass, so we return PFIL_CONSUMED to the stack. */
+ action = PF_PASS;
goto bad;
}

@@ -9693,7 +9694,8 @@ pf_route6(struct pf_krule *r, struct ifnet *oifp,
pf_send_icmp(m0, ICMP6_PACKET_TOO_BIG, 0,
ifp->if_mtu, pd->af, r, pd->act.rtableid);
}
- action = PF_DROP;
+ /* Return pass, so we return PFIL_CONSUMED to the stack. */
+ action = PF_PASS;
SDT_PROBE1(pf, ip6, route_to, drop, __LINE__);
goto bad;
}


=====================================
usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
=====================================
@@ -1288,8 +1288,7 @@ pfs_refresh(void)
pfs = pfctl_get_status_h(pfh);

if (pfs == NULL) {
- syslog(LOG_ERR, "pfs_refresh(): ioctl(): %s",
- strerror(errno));
+ syslog(LOG_ERR, "pfs_refresh(): pfctl_get_status failure");
return (-1);
}




View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/8e4ad6f0b8441245e2bafded48430f54eaecf213...c66cb444266ac0a00beda88759b70e89d39037b0

--
View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/8e4ad6f0b8441245e2bafded48430f54eaecf213...c66cb444266ac0a00beda88759b70e89d39037b0
You're receiving this email because of your account on git.hardenedbsd.org.