Return-icmp doesn't work [Was: Re: Recent panics caused by pf]
emanuel.strobl at gmx.net
Fri Mar 11 07:19:40 PST 2005
Am Freitag, 11. März 2005 14:52 schrieb Daniel Hartmeier:
> On Fri, Mar 11, 2005 at 01:50:47PM +0100, Emanuel Strobl wrote:
> > > Then I have another problem which may be a design problem.
> > > I am multihomed and have several pass reply-to rules. So far things are
> > > working fine but block return doesn't! Of course, the return gets over
> > > the default route, so what I needed is a block return route-to or
> > > something like that.
> > > Do you know any detour how this could be achieved?
> > This problem is still unsolved :(
> The idea is that you can use reply-to on block rules for this purpose:
> block return-rst in on wi0 reply-to (wi0 10.1.1.1) inet proto tcp all
> This is valid syntax and pfctl loads the rule, but the functionality is
> not implemented in kernel yet, i.e. the reply-to option is simply
Thanks, I tried a very similar rule and after that the box vanished.
I went on location (the box paniced but didn't reboot) and installed a
console-server so I can access the box from here and currently I'm baking a
I'll notify you if I have a trace!
> The problem is that return-icmp uses the stack's icmp_error(), which
> doesn't take an argument to override a route lookup. And duplicating the
> function would be ugly due to its size. It's on the to-do list, but it's
> been sitting there for a while already.
> freebsd-stable at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050311/e148df9e/attachment-0001.bin
More information about the freebsd-stable