[Bug 207598] pf adds icmp unreach on gre/ipsec somehow

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=207598

--- Comment #24 from Kristof Provost <kp at freebsd.org> ---
(In reply to Max from comment #23)
Yeah, that's certainly a valid point.

Arguably the network stack shouldn't send errors if the firewall drops a
packet, instead leaving it to the firewall to send an error.
Or perhaps we should extend the netpfil interface to support both scenarios.

Either way, this change will affect more than just pf, so it'd have to be done
very carefully.

-- 
You are receiving this mail because:
You are the assignee for the bug.