Re: pf nat-to doesn't match a crafted packet

Hello, On Sun, Sep 03, 2023 at 09:26:29PM +0200, Florian Obser wrote: > FYI, I'm not using sloppy, and I don't have a network with asymmetric routing > at the moment. I only remembered that we used sloppy for a while at my > previous job. I think we settled on no-state because it was faster than

Re: pf nat-to doesn't match a crafted packet

FYI, I'm not using sloppy, and I don't have a network with asymmetric routing at the moment. I only remembered that we used sloppy for a while at my previous job. I think we settled on no-state because it was faster than sloppy and less hastle. On 3 September 2023 20:09:10 CEST, Alexandr

Re: pf nat-to doesn't match a crafted packet

Hello, On Sun, Sep 03, 2023 at 06:29:51PM +0200, Alexander Bluhm wrote: > On Sun, Sep 03, 2023 at 06:17:12PM +0200, Florian Obser wrote: > > On 2023-09-03 18:13 +02, Alexander Bluhm wrote: > > > On Sun, Sep 03, 2023 at 05:59:18PM +0200, Alexandr Nedvedicky wrote: > > >> Hello, > > >> > > >> On

Re: pf nat-to doesn't match a crafted packet

On Sun, Sep 03, 2023 at 06:17:12PM +0200, Florian Obser wrote: > On 2023-09-03 18:13 +02, Alexander Bluhm wrote: > > On Sun, Sep 03, 2023 at 05:59:18PM +0200, Alexandr Nedvedicky wrote: > >> Hello, > >> > >> On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote: > >> > On Sun, Sep 03,

Re: pf nat-to doesn't match a crafted packet

On 2023-09-03 18:13 +02, Alexander Bluhm wrote: > On Sun, Sep 03, 2023 at 05:59:18PM +0200, Alexandr Nedvedicky wrote: >> Hello, >> >> On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote: >> > On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote: >> > > in my opinion

Re: pf nat-to doesn't match a crafted packet

On Sun, Sep 03, 2023 at 05:59:18PM +0200, Alexandr Nedvedicky wrote: > Hello, > > On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote: > > On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote: > > > in my opinion is to fix pf_match_rule() function, so ICMP error message

Re: pf nat-to doesn't match a crafted packet

Hello, On Sun, Sep 03, 2023 at 05:10:02PM +0200, Alexander Bluhm wrote: > On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote: > > in my opinion is to fix pf_match_rule() function, so ICMP error message > > will no longer match 'keep state' rule. Diff below is for IPv4. I still >

Re: pf nat-to doesn't match a crafted packet

On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote: > in my opinion is to fix pf_match_rule() function, so ICMP error message > will no longer match 'keep state' rule. Diff below is for IPv4. I still > need to think of more about IPv6. My gut feeling is it will be very similar.

Re: resume failures/lockups

On Sat, Sep 02, 2023 at 11:45:13AM +0100, Martin Pieuchot wrote: > Hello Ross, > > On 27/08/23(Sun) 15:16, Ross L Richardson wrote: > > For the past several weeks (using -current), I've had problems with > > resume on an amd64 desktop. It's intermittent (but if anything > > becoming increasingly

Re: pf nat-to doesn't match a crafted packet

Hello, I'm sorry the diff against current does not compile. it's missing a closing parren. sorry about that. regards sashan On Sun, Sep 03, 2023 at 04:12:35AM +0200, Alexandr Nedvedicky wrote: > 8<---8<---8<--8< > diff --git