Date: Fri, 22 Jun 2018 21:59:48 +0000 From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Message-ID: <bug-226850-16861-ohvljmnfCJ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-226850-16861@https.bugs.freebsd.org/bugzilla/> References: <bug-226850-16861@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 --- Comment #22 from commit-hook@freebsd.org --- A commit references this bug: Author: kp Date: Fri Jun 22 21:59:31 UTC 2018 New revision: 335569 URL: https://svnweb.freebsd.org/changeset/base/335569 Log: pf: Support "return" statements in passing rules when they fail. Normally pf rules are expected to do one of two things: pass the traffic = or block it. Blocking can be silent - "drop", or loud - "return", "return-rs= t", "return-icmp". Yet there is a 3rd category of traffic passing through pf: Packets matching a "pass" rule but when applying the rule fails. This hap= pens when redirection table is empty or when src node or state creation fails. Such rules always fail silently without notifying the sender. Allow users to configure this behaviour too, so that pf returns an error packet in these cases. PR: 226850 Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net> MFC after: 1 week Sponsored by: InnoGames GmbH Changes: head/sbin/pfctl/parse.y head/share/man/man5/pf.conf.5 head/sys/netpfil/pf/pf.c --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226850-16861-ohvljmnfCJ>