issue with ICMP with PF and nat and latest 14.1

From: Benoit Chesneau <bchesneau_at_icloud.com>
Date: Wed, 18 Sep 2024 21:34:16 UTC 
Hi,

It seems that since the latest update of PF in FreeBSD 14.1 mtr doesn't provide a correct trace using the default. It works with the ``--udp` and `-T` options so it doesn't seem to be an issue with the next hop. Also mtr works perfectly on the firewall machine. Issue only happen on the nated machines on the lan behind it. No issue with ipv6.

I tried to change the config or pass everything but I still reproduce the issue. Any idea to troubleshoot/fix it is welcome :)


Eg of trace:

```
MacBook-Pro-de-Benoit-8.local (10.0.1.62) -> 1.1.1.1 (1.1.1.1)                                                              2024-09-18T11:32:29+0200Keys:  Help   Display mode   Restart statistics   Order of fields   quit
                                                                                                          Packets               Pings
Host                                                                                                     Loss%   Snt   Last   Avg  Best  Wrst StDev
1. 10.0.1.1                                                                                               0.0%    11    4.7   6.4   3.6  22.6   5.7
2. (waiting for reply)
3. (waiting for reply)
4. (waiting for reply)
5. (waiting for reply)
6. one.one.one.one                                                                                        0.0%    10    6.8   6.6   5.6  11.7   1.8
```

The configuration of PF is the following

```
table <lan> persist file "/etc/pf/lan.tbl"
IP_OUT = "<EDITED>"

ext_if = "vlan200"
vlan_ifs = "{ vlan10, vlan20, vlan30, vlan31, vlan110, vlan120 }"

# Macros
set block-policy drop
set skip on lo

# Options
scrub in all fragment reassemble  # Normalize and reassemble fragmented packets
#scrub in all

# nat
nat from <lan> to !<lan> -> $IP_OUT

# Explicitly block unroutable addresses
antispoof quick for ($ext_if)
#pass proto icmp all

# Drop invalid packets
block in quick on $ext_if inet proto tcp all flags FUP/FUP    # Dropping invalid TCP packets
block in quick on $ext_if inet proto tcp all flags S/SAFRUP   # Dropping weird flags

# Allow all outgoing traffic from the internal network (LAN)
pass out on $ext_if from any to any keep state

# Allow incoming established and related connections (untracked)
pass in on $ext_if proto tcp from any to any flags S/SA modulate state
pass in on $ext_if proto { udp, icmp, icmp6 } from any to any keep state

# Allow ICMP traffic for mtr (Echo Request, Echo Reply, Time Exceeded)
pass in inet proto icmp icmp-type { echoreq, echorep, timex } keep state
pass out inet proto icmp icmp-type { echoreq, echorep, timex } keep state
```

I also tried a simpler version:

```
# Allow all outgoing traffic
pass out on $ext_if all

# Allow all incoming ICMP
pass in inet proto icmp from any to any
```

While no errors, mtr on the lan still doesn't work. I have also tried to log it :

```
pass in log proto icmp all
```

but no log appears. I am clue less right now. It seems the error is related to `ICMP time exceeded in-transit` but I thought the issue would be solved by the configuration below. What I'm missing?

BenoƮt