[Bug 259879] enabling PF blocks multicast/igmp sendto

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259879

--- Comment #9 from Johan Ström <johan@stromnet.se> ---
TEST CASE:


block return log on $if all


flushing state and starting socat.
Logs on pflog0:

07:50:32.756386 rule 0/0(match): block out on vtnet0: (tos 0xc0, ttl 1, id 0,
offset 0, flags [DF], proto IGMP (2), length 40, options (RA))
    172.28.6.15 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr
239.255.0.100 to_ex, 0 source(s)]

And nothing on vtnet0.


TEST CASE:


block return log on $if all
pass log on $if inet proto igmp allow-opts

flushing state and starting socat, logs:

07:44:57.756384 rule 2/0(match): pass out on vtnet0: (tos 0xc0, ttl 1, id 0,
offset 0, flags [DF], proto IGMP (2), length 40, options (RA))
    172.28.6.15 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr
239.255.0.100 to_ex, 0 source(s)]

and expected igmp on vnet0.
pf rule Packet counter is incremented.




Tested:

block return log on $if all
pass log on $if inet proto


flushing state and starting socat, logs

07:46:55.356406 rule 2/8(ip-option): pass out on vtnet0: (tos 0xc0, ttl 1, id
0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA))
    172.28.6.15 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr
239.255.0.100 to_ex, 0 source(s)]


Nothing on vtnet0.
pf rule Packet counter is NOT incremented (only Evaluated).



So, from a pflog perspective it seems the rule is matched, but from counter and
actual traffic perspective, not matched.

-- 
You are receiving this mail because:
You are the assignee for the bug.