Date: Wed, 25 May 2016 18:54:47 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Message-ID: <bug-207598-17777-PZUasfZ9md@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207598 --- Comment #19 from Max <maximos@als.nnov.ru> --- I've never read FreeBSD sources, except pf's last week... probably I'm wrong. ip_input()->ip_forward()->ip_output()->ip_output_pfil()->pfil_run_hooks()->pf_test(). If ip_output() returns any error, then in ip_forward(): error = ip_output(...); ... switch (error) { case 0: /* forwarded, but need redirect */ /* type, code set above */ break; ... default: type = ICMP_UNREACH; code = ICMP_UNREACH_HOST; break; ... icmp_error(...); So, we have incoming fragment of echo request. There are two options: 1. pf returns PF_PASS -> ip_output() returns 0 -> everything is OK 2. pf returns PF_DROP -> ip_output() returns nonzero value -> we have icmp-unreach message. pf returns PF_DROP when we have (implicit) "scrub out on...". Please, correct me if I missing something. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207598-17777-PZUasfZ9md>