[Bug 207598] pf adds icmp unreach on gre/ipsec somehow

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat May 28 13:59:34 UTC 2016


--- Comment #24 from Kristof Provost <kp at freebsd.org> ---
(In reply to Max from comment #23)
Yeah, that's certainly a valid point.

Arguably the network stack shouldn't send errors if the firewall drops a
packet, instead leaving it to the firewall to send an error.
Or perhaps we should extend the netpfil interface to support both scenarios.

Either way, this change will affect more than just pf, so it'd have to be done
very carefully.

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pf mailing list