[Bug 207598] pf adds icmp unreach on gre/ipsec somehow
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed May 25 18:54:47 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207598
--- Comment #19 from Max <maximos at als.nnov.ru> ---
I've never read FreeBSD sources, except pf's last week... probably I'm wrong.
ip_input()->ip_forward()->ip_output()->ip_output_pfil()->pfil_run_hooks()->pf_test().
If ip_output() returns any error, then in ip_forward():
error = ip_output(...);
...
switch (error) {
case 0: /* forwarded, but need redirect */
/* type, code set above */
break;
...
default:
type = ICMP_UNREACH;
code = ICMP_UNREACH_HOST;
break;
...
icmp_error(...);
So, we have incoming fragment of echo request. There are two options:
1. pf returns PF_PASS -> ip_output() returns 0 -> everything is OK
2. pf returns PF_DROP -> ip_output() returns nonzero value -> we have
icmp-unreach message.
pf returns PF_DROP when we have (implicit) "scrub out on...".
Please, correct me if I missing something.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list