[Bug 207598] pf adds icmp unreach on gre/ipsec somehow
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Jun 10 14:35:24 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207598
Kristof Provost <kp at freebsd.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #170747|0 |1
is obsolete| |
--- Comment #29 from Kristof Provost <kp at freebsd.org> ---
Created attachment 171268
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=171268&action=edit
pf error returns
Hmm. I might be making this harder than it needs to be.
If the netpfil hook returns EACCESS ip_forward() won't actually generate an
ICMP error message.
The problem is that PF returns PF_PASS, PF_DROP, ... instead of the error codes
the stack expects.
Can you test this patch?
It's interesting that this doesn't seem to be as big a problem on CURRENT,
because the fast forwarding code (ip_tryforward()) doesn't generate ICMP errors
for netpfil() errors.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list