Date: Thu, 22 Mar 2018 16:31:01 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Message-ID: <bug-226850-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226850 Bug ID: 226850 Summary: [pf] Matching but failed rules block without return Product: Base System Version: 11.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: vegeta@tuxpowered.net Created attachment 191739 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=191739&action=edit Support "return" statements in passing rules when they fail. Normally pf rules are expected to do one of two things: pass the traffic or block it. Blocking can be silent - "drop", or loud - "return", "return-rst", "return-icmp". Yet there is a 3rd category of traffic passing through pf. Packets matching a "pass" rule but when applying the rule fails. This happens when redirection table is empty or when src node or state creation fails. Such rules always fail silently without notifying the sender. Please see proposed patch for adding "return"-like keywords to "pass" rules just as "block" rules do. Other option would be to not change pf.conf's grammar and just make such rules always returning. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226850-8>