Hello,
On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote:
> On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote:
> > in my opinion is to fix pf_match_rule() function, so ICMP error message
> > will no longer match 'keep state' rule. Diff below is for IPv4. I still
> > need to think of more about IPv6. My gut feeling is it will be very similar.
>
> Thanks for the detailed analysis.
>
> You proposed fix means that our default pf would block icmp error
> packets now.
>
> block return # block stateless traffic
> pass # establish keep-state
>
> To have the old behaviour one would write
I think icmp error message, if legit, is allowed because it matches
state created by 'pass' rule. At least this is my understanding.
Or is there something else going on which I'm missing?
thanks and
regards
sashan
