From owner-freebsd-stable@FreeBSD.ORG Sat Apr 2 00:21:13 2005 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB89016A4CE for ; Sat, 2 Apr 2005 00:21:13 +0000 (GMT) Received: from philemon.caltech.edu (philemon.caltech.edu [131.215.158.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79E7C43D31 for ; Sat, 2 Apr 2005 00:21:13 +0000 (GMT) (envelope-from jd@philemon.caltech.edu) Received: from philemon.caltech.edu (localhost.caltech.edu [127.0.0.1]) by philemon.caltech.edu (8.13.1/8.12.9) with ESMTP id j320KaNX017914; Fri, 1 Apr 2005 16:20:36 -0800 (PST) (envelope-from jd@philemon.caltech.edu) Received: (from jd@localhost) by philemon.caltech.edu (8.13.1/8.12.9/Submit) id j320KZ0j017913; Fri, 1 Apr 2005 16:20:35 -0800 (PST) Date: Fri, 1 Apr 2005 16:20:35 -0800 From: Jonathan Dama To: freebsd-stable@freebsd.org Message-ID: <20050402002035.GK75619@philemon.caltech.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline cc: darrenr@pobox.com Subject: mfc of ipf 3.4.35 breaks POLA in 4.11, 4-Stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2005 00:21:13 -0000 IPF in 4.11, 4-Stable breaks the semantics of icmp keep-state rules. This problem was mentioned in http://msgs.securepoint.com/cgi-bin/get/ipfilter-0503/31/1/2/1/1.html I wouldn't make a fuss over this simple matter except that this constitutes a POLA violation. To that end, the following pr was submitted: http://www.freebsd.org/cgi/query-pr.cgi?pr=79416 Incidentially, unless I really misunderstand ipf, there appears to be a genuine bug here. POLA issues aside, a pass-rule is being used to block packets. Thanks, Jon