[Bug 207598] pf adds icmp unreach on gre/ipsec somehow
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun May 29 08:35:39 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207598
--- Comment #27 from Kristof Provost <kp at freebsd.org> ---
(In reply to Max from comment #26)
I think what we need to do is very carefully go through all the return paths in
pf.
There's basically three scenarios:
* Accept packet (modified or not)
=> return PF_PASS *m0 is the mbuf
* Reject the packet (i.e tell the stack it couldn't be sent)
=> return PF_DROP
* Drop the packet (i.e. it vanishes, do not tell the stack it couldn't be
sent)
=> return PF_PASS, *m0 is NULL.
The pf_isfull_fragment() check needs to return PF_PASS (with *m0 == NULL),
because the packet was just buffered until we have the full (reassembled)
packet. It's not been rejected.
The if (m == NULL) check is really required, because we do set *m0 to NULL
during reassembly.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list