From owner-freebsd-stable@FreeBSD.ORG Fri Mar 11 13:52:13 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC3BD16A4CE; Fri, 11 Mar 2005 13:52:13 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 969E943D46; Fri, 11 Mar 2005 13:52:12 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j2BDqDtR031123 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 11 Mar 2005 14:52:13 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j2BDqDGB031566; Fri, 11 Mar 2005 14:52:13 +0100 (MET) Date: Fri, 11 Mar 2005 14:52:12 +0100 From: Daniel Hartmeier To: Emanuel Strobl Message-ID: <20050311135212.GA30653@insomnia.benzedrine.cx> References: <20050212061756.GF4769@kt-is.co.kr> <200502211924.10327.max@love2party.net> <200503111311.03343@harrymail> <200503111350.52724@harrymail> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200503111350.52724@harrymail> User-Agent: Mutt/1.5.6i cc: Max Laier cc: stable@freebsd.org cc: freebsd-stable@freebsd.org cc: yongari@kt-is.co.kr cc: pf@freebsd.org Subject: Re: Return-icmp doesn't work [Was: Re: Recent panics caused by pf] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2005 13:52:13 -0000 On Fri, Mar 11, 2005 at 01:50:47PM +0100, Emanuel Strobl wrote: > > Then I have another problem which may be a design problem. > > I am multihomed and have several pass reply-to rules. So far things are > > working fine but block return doesn't! Of course, the return gets over the > > default route, so what I needed is a block return route-to or something > > like that. > > Do you know any detour how this could be achieved? > > This problem is still unsolved :( The idea is that you can use reply-to on block rules for this purpose: block return-rst in on wi0 reply-to (wi0 10.1.1.1) inet proto tcp all This is valid syntax and pfctl loads the rule, but the functionality is not implemented in kernel yet, i.e. the reply-to option is simply ignored. The problem is that return-icmp uses the stack's icmp_error(), which doesn't take an argument to override a route lookup. And duplicating the function would be ugly due to its size. It's on the to-do list, but it's been sitting there for a while already. Daniel