On Thu, Sep 07, 2023 at 03:59:43AM -0600, Alexandr Nedvedicky wrote: > CVSROOT: /cvs > Module name: src > Changes by: sas...@cvs.openbsd.org 2023/09/07 03:59:43 > > Modified files: > sys/net : pf.c > > Log message: > pf(4) ignores 'keep state' and 'nat-to' actions for unsolicited > icmp error responses. Fix tightens rule matching logic so icmp > error responses no longer match 'keep state' rule. In typical > scenarios icmp errors (if solicited) should match existing state. > The change is going to bite firewalls which deal with asymmetric > routes. In those cases the 'keep state' action should be relaxed > to sloppy or new 'no state' rule to explicitly match icmp > errors should be added. > > The issue has been reported by Peter J. Philip (pjp _at_ delphinusdns.org). > > Discussed with bluhm@ and florian@ > > OK bluhm@
Couple of new failures. Reverting this commit makes the problem go away. https://regress.basename.se/amd64/2023-09-08.1/296-sys-net-pair.log https://regress.basename.se/amd64/2023-09-08.1/310-sys-net-vxlan.log https://regress.basename.se/amd64/2023-09-08.1/397-usr.sbin-bgpd.log https://regress.basename.se/amd64/2023-09-08.1/405-usr.sbin-ospf6d.log