[Bug 226850] [pf] Matching but failed rules block without return

Thu Mar 22 16:31:02 UTC 2018

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226850

            Bug ID: 226850
           Summary: [pf] Matching but failed rules block without return
           Product: Base System
           Version: 11.1-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: vegeta at tuxpowered.net

Created attachment 191739
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=191739&action=edit
Support "return" statements in passing rules when they fail.

Normally pf rules are expected to do one of two things: pass the traffic or
block it. Blocking can be silent - "drop", or loud - "return", "return-rst",
"return-icmp". Yet there is a 3rd category of traffic passing through pf.
Packets matching a "pass" rule but when applying the rule fails. This happens
when redirection table is empty or when src node or state creation fails. Such
rules always fail silently without notifying the sender.

Please see proposed patch for adding "return"-like keywords to "pass" rules
just as "block" rules do. Other option would be to not change pf.conf's grammar
and just make such rules always returning.

-- 
You are receiving this mail because:
You are the assignee for the bug.