Hello, I was about to start looking into it. however there was another mail in my inbox where I learned naddy@ has backed out the commit. bluhm@ and I agree with him. the change attempts to fix awkward corner case doing more harm than good.
thanks and regards sashan pá 8. 9. 2023 v 12:59 odesílatel Anton Lindqvist <an...@basename.se> napsal: > > On Thu, Sep 07, 2023 at 03:59:43AM -0600, Alexandr Nedvedicky wrote: > > CVSROOT: /cvs > > Module name: src > > Changes by: sas...@cvs.openbsd.org 2023/09/07 03:59:43 > > > > Modified files: > > sys/net : pf.c > > > > Log message: > > pf(4) ignores 'keep state' and 'nat-to' actions for unsolicited > > icmp error responses. Fix tightens rule matching logic so icmp > > error responses no longer match 'keep state' rule. In typical > > scenarios icmp errors (if solicited) should match existing state. > > The change is going to bite firewalls which deal with asymmetric > > routes. In those cases the 'keep state' action should be relaxed > > to sloppy or new 'no state' rule to explicitly match icmp > > errors should be added. > > > > The issue has been reported by Peter J. Philip (pjp _at_ delphinusdns.org). > > > > Discussed with bluhm@ and florian@ > > > > OK bluhm@ > > Couple of new failures. Reverting this commit makes the problem go away. > > https://regress.basename.se/amd64/2023-09-08.1/296-sys-net-pair.log > https://regress.basename.se/amd64/2023-09-08.1/310-sys-net-vxlan.log > https://regress.basename.se/amd64/2023-09-08.1/397-usr.sbin-bgpd.log > https://regress.basename.se/amd64/2023-09-08.1/405-usr.sbin-ospf6d.log
