Hello, > On Tue, May 19, 2015 at 14:07 +0200, Alexandr Nedvedicky wrote: > > Hello Mike, > > > > I've reworked patch from yesterday. I've done some quick testing > > to see if it fixes problem. It looks like it works. I have not > > tested NAT-64 yet. Also I'd like to come up with test case, which > > will show the state check is still able to block invalid ICMP packet > > (invalid with respect to state). > > > > The idea of fix is to keep icmp_dir in state as well. The icmp_dir > > indicates whether state got created by ICMP request or response. > > This is useful later in pf_icmp_state_lookup() to check whether > > ICMP request/response matches state direction. > > > > This feels slightly convoluted... check my diff out! (:
nice, I like your "XOR Magic!" comment. Looks like I was trying to fix the other end... your patch is minimalistic and correct as far as I can tell. > > P.S. I took discussion off-line not to create extra noise on > > tech@openbsd.org > > feel free go get the alias back to loop. > > Nah, that's what tech@ is for! O.K. I won't do it again... regards sasha
