[Bug 226850] [pf] Matching but failed rules block without return
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Fri Jun 22 21:59:50 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226850
--- Comment #22 from commit-hook at freebsd.org ---
A commit references this bug:
Author: kp
Date: Fri Jun 22 21:59:31 UTC 2018
New revision: 335569
URL: https://svnweb.freebsd.org/changeset/base/335569
Log:
pf: Support "return" statements in passing rules when they fail.
Normally pf rules are expected to do one of two things: pass the traffic or
block it. Blocking can be silent - "drop", or loud - "return", "return-rst",
"return-icmp". Yet there is a 3rd category of traffic passing through pf:
Packets matching a "pass" rule but when applying the rule fails. This happens
when redirection table is empty or when src node or state creation fails.
Such
rules always fail silently without notifying the sender.
Allow users to configure this behaviour too, so that pf returns an error
packet
in these cases.
PR: 226850
Submitted by: Kajetan Staszkiewicz <vegeta tuxpowered.net>
MFC after: 1 week
Sponsored by: InnoGames GmbH
Changes:
head/sbin/pfctl/parse.y
head/share/man/man5/pf.conf.5
head/sys/netpfil/pf/pf.c
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list