[Bug 281871] [pf] "match out on $ext_if proto tcp scrub (min-ttl 128)" modify incoming packets too

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281871

--- Comment #9 from Kristof Provost <kp@freebsd.org> ---
(In reply to Vladimir Druzenko from comment #8)
> age 00:00:06, expires in 23:59:54, 2:1 pkts, 112:60 bytes, rule 58, min-ttl 128

You can check your rules for what rule 58 is, but the match rule presumably
applied when the state was created, so the min-ttl flag got applied to the
state and affects both directions of the state.
Again, that's expected. Rules are only processed for the initial packet that
creates the state, and in this case that will have been the SYN for the 
`telnet $IP $PORT`. That's an outbound packet on $ext_if (presumably), so the
match rule applied and the min-ttl got set on the state where it now also
applies to the other direction of that state.

-- 
You are receiving this mail because:
You are the assignee for the bug.