On Thu, Sep 07, 2023 at 03:59:43AM -0600, Alexandr Nedvedicky wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: sas...@cvs.openbsd.org 2023/09/07 03:59:43
>
> Modified files:
> sys/net : pf.c
>
> Log message:
> pf(4) ignores 'keep state' and 'nat-to' actions for unsolicited
> icmp error responses. Fix tightens rule matching logic so icmp
> error responses no longer match 'keep state' rule. In typical
> scenarios icmp errors (if solicited) should match existing state.
> The change is going to bite firewalls which deal with asymmetric
> routes. In those cases the 'keep state' action should be relaxed
> to sloppy or new 'no state' rule to explicitly match icmp
> errors should be added.
>
> The issue has been reported by Peter J. Philip (pjp _at_ delphinusdns.org).
>
> Discussed with bluhm@ and florian@
>
> OK bluhm@
Couple of new failures. Reverting this commit makes the problem go away.
https://regress.basename.se/amd64/2023-09-08.1/296-sys-net-pair.log
https://regress.basename.se/amd64/2023-09-08.1/310-sys-net-vxlan.log
https://regress.basename.se/amd64/2023-09-08.1/397-usr.sbin-bgpd.log
https://regress.basename.se/amd64/2023-09-08.1/405-usr.sbin-ospf6d.log
