On Sun, May 08, 2022 at 06:37:57PM +0200, Alexandr Nedvedicky wrote:
> this tiny update to pf.conf(5) has been prompted here [1] on
> pf mailing list. By default only ICMP queries are allowed
> to create state in pf(4). The sloppy option relaxes that
> so also ICMP replies can create a state. I think this should
> be also mentioned in pf.conf(5)
>
> OK to my suggestion below?
I would make it a bit shorter. pf.conf(5) is very long already.
With this option ICMP replies can create states.
Does this describe everything?
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
> index fe4b117994a..7389d231fe2 100644
> --- a/share/man/man5/pf.conf.5
> +++ b/share/man/man5/pf.conf.5
> @@ -2186,6 +2186,9 @@ It cannot be used with
> .Cm modulate state
> or
> .Cm synproxy state .
> +The option also relaxes handling of ICMP such that also ICMP replies
> +are allowed to create state.
> +By default ICMP queries only are allowed to create state.
> .It Ar timeout seconds
> Changes the
> .Ar timeout
