Date: Sun, 29 May 2016 08:35:39 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Message-ID: <bug-207598-17777-vT9Ge1pRaJ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #27 from Kristof Provost <kp@freebsd.org> --- (In reply to Max from comment #26) I think what we need to do is very carefully go through all the return path= s in pf. There's basically three scenarios: * Accept packet (modified or not) =3D> return PF_PASS *m0 is the mbuf * Reject the packet (i.e tell the stack it couldn't be sent) =3D> return PF_DROP * Drop the packet (i.e. it vanishes, do not tell the stack it couldn't be sent) =3D> return PF_PASS, *m0 is NULL. The pf_isfull_fragment() check needs to return PF_PASS (with *m0 =3D=3D NUL= L), because the packet was just buffered until we have the full (reassembled) packet. It's not been rejected. The if (m =3D=3D NULL) check is really required, because we do set *m0 to N= ULL during reassembly. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207598-17777-vT9Ge1pRaJ>