Date: Fri, 11 Mar 2005 14:52:12 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Emanuel Strobl <emanuel.strobl@gmx.net> Cc: pf@freebsd.org Subject: Re: Return-icmp doesn't work [Was: Re: Recent panics caused by pf] Message-ID: <20050311135212.GA30653@insomnia.benzedrine.cx> In-Reply-To: <200503111350.52724@harrymail> References: <20050212061756.GF4769@kt-is.co.kr> <200502211924.10327.max@love2party.net> <200503111311.03343@harrymail> <200503111350.52724@harrymail>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 11, 2005 at 01:50:47PM +0100, Emanuel Strobl wrote: > > Then I have another problem which may be a design problem. > > I am multihomed and have several pass reply-to rules. So far things are > > working fine but block return doesn't! Of course, the return gets over the > > default route, so what I needed is a block return route-to or something > > like that. > > Do you know any detour how this could be achieved? > > This problem is still unsolved :( The idea is that you can use reply-to on block rules for this purpose: block return-rst in on wi0 reply-to (wi0 10.1.1.1) inet proto tcp all This is valid syntax and pfctl loads the rule, but the functionality is not implemented in kernel yet, i.e. the reply-to option is simply ignored. The problem is that return-icmp uses the stack's icmp_error(), which doesn't take an argument to override a route lookup. And duplicating the function would be ugly due to its size. It's on the to-do list, but it's been sitting there for a while already. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050311135212.GA30653>