[Bug 207598] pf adds icmp unreach on gre/ipsec somehow

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed May 25 18:54:47 UTC 2016


--- Comment #19 from Max <maximos at als.nnov.ru> ---
I've never read FreeBSD sources, except pf's last week... probably I'm wrong.
If ip_output() returns any error, then in ip_forward():
        error = ip_output(...);
        switch (error) {
        case 0:                         /* forwarded, but need redirect */
                /* type, code set above */
                type = ICMP_UNREACH;
                code = ICMP_UNREACH_HOST;
So, we have incoming fragment of echo request. There are two options:
1. pf returns PF_PASS -> ip_output() returns 0 -> everything is OK
2. pf returns PF_DROP -> ip_output() returns nonzero value -> we have
icmp-unreach message.
pf returns PF_DROP when we have (implicit) "scrub out on...".

Please, correct me if I missing something.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pf mailing list