Date: Fri, 10 Jun 2016 18:57:06 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Message-ID: <bug-207598-17777-3WhJWhf0jn@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #34 from Max <maximos@als.nnov.ru> --- (In reply to Kristof Provost from comment #33) Yeah, that's my fault... It is ICMP. But man pf.conf says return This causes a TCP RST to be returned for tcp(4) packets and an ICMP UNREACHABLE for UDP and other packets. (In reply to Kristof Provost from comment #32) I'm trying to understand what's happening... Without the patch: ruleset 1: scrub on gre1 pass log (all) all block return out log (all) on gre1 proto icmp ICMP-unreach exists. ruleset 2: scrub on gre1 pass log (all) all block return in log (all) on gre0 proto icmp ICMP-unreach doesn't exist. Should it? ruleset 3: scrub on gre0 scrub on gre1 pass log (all) all block return in log (all) on gre0 proto icmp ICMP-unreach doesn't exist. I've rebuilt the kernel... again... the patched version. There is no ICMP-unreach at all. So, the first case is relevant to patch, I think... --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207598-17777-3WhJWhf0jn>