MFC r289932, r289940:

PF_ANEQ() macro will in most situations returns TRUE comparing two identical
IPv4 packets (when it should return FALSE). It happens because PF_ANEQ() doesn't
stop if first 32 bits of IPv4 packets are equal and starts to check next 3*32
bits (like for IPv6 packet). Those bits containt some garbage and in result
PF_ANEQ() wrongly returns TRUE.

Fix: Check if packet is of AF_INET type and if it is then compare only first 32
bits of data.

PR:             204005
Submitted by:   Miłosz Kaniewski

1 files changed, 3 insertions, 2 deletions

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index ae5ecb9..9fb4581 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -198,10 +198,11 @@ extern struct rwlock pf_rules_lock;
 	(a)->addr32[0] == (b)->addr32[0])) \
 
 #define PF_ANEQ(a, b, c) \
-	((a)->addr32[0] != (b)->addr32[0] || \
+	((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \
+	(c == AF_INET6 && ((a)->addr32[0] != (b)->addr32[0] || \
 	(a)->addr32[1] != (b)->addr32[1] || \
 	(a)->addr32[2] != (b)->addr32[2] || \
-	(a)->addr32[3] != (b)->addr32[3]) \
+	(a)->addr32[3] != (b)->addr32[3]))) \
 
 #define PF_AZERO(a, c) \
 	((c == AF_INET && !(a)->addr32[0]) || \