[Bug 259879] enabling PF blocks multicast/igmp sendto

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 259879] enabling PF blocks multicast/igmp sendto"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 18 Nov 2021 06:36:56 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259879

--- Comment #7 from Johan Ström <johan@stromnet.se> ---
The "block return log on $if all" IS matching and IS logging, as long as there
isn't a pass rule for igmp. If I add a pass rule *without allow-opts* it stops
logging, even if the pass rule does not pass the traffic:


block return log on vtnet0 all

logs to pflog0

06:30:59.154898 rule 0/0(match): block out on vtnet0: (tos 0xc0, ttl 1, id 0,
offset 0, flags [DF], proto IGMP (2), length 40, options (RA))
    172.28.6.15 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr
239.255.0.100 to_in, 0 source(s)]


but


block return log on vtnet0 all
pass on vtnet0 inet proto icmp

does not pass traffic (since missing allow-opts on pass rule), but neither does
it log it in pflog anymore.

-- 
You are receiving this mail because:
You are the assignee for the bug.