Date: Thu, 22 Mar 2018 16:31:01 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 226850] [pf] Matching but failed rules block without return Message-ID: <bug-226850-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D226850 Bug ID: 226850 Summary: [pf] Matching but failed rules block without return Product: Base System Version: 11.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: vegeta@tuxpowered.net Created attachment 191739 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D191739&action= =3Dedit Support "return" statements in passing rules when they fail. Normally pf rules are expected to do one of two things: pass the traffic or block it. Blocking can be silent - "drop", or loud - "return", "return-rst", "return-icmp". Yet there is a 3rd category of traffic passing through pf. Packets matching a "pass" rule but when applying the rule fails. This happe= ns when redirection table is empty or when src node or state creation fails. S= uch rules always fail silently without notifying the sender. Please see proposed patch for adding "return"-like keywords to "pass" rules just as "block" rules do. Other option would be to not change pf.conf's gra= mmar and just make such rules always returning. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226850-8>