From owner-freebsd-bugs@FreeBSD.ORG  Fri Apr  8 18:20:07 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EDC5616A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  8 Apr 2005 18:20:07 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CDDF443D3F
	for <freebsd-bugs@hub.freebsd.org>;
	Fri,  8 Apr 2005 18:20:07 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j38IK7NL051392
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 8 Apr 2005 18:20:07 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j38IK73J051391;
	Fri, 8 Apr 2005 18:20:07 GMT
	(envelope-from gnats)
Date: Fri, 8 Apr 2005 18:20:07 GMT
Message-Id: <200504081820.j38IK73J051391@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Spartak Radchenko <spartak@aif.ru>
Subject: Re: kern/79416: ipf in 4.11 breaks POLA
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Spartak Radchenko <spartak@aif.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2005 18:20:08 -0000

The following reply was made to PR kern/79416; it has been noted by GNATS.

From: Spartak Radchenko <spartak@aif.ru>
To: freebsd-gnats-submit@FreeBSD.org, devteam@donut.ugcs.caltech.edu
Cc:  
Subject: Re: kern/79416: ipf in 4.11 breaks POLA
Date: Fri, 08 Apr 2005 22:14:25 +0400

 BTW, UDP is also affected.
 
 Here is my test ruleset for traceroute:
 
 block in log all
 pass  in quick proto udp from any to any port 33434 >< 33690
 pass out proto icmp from any to any keep state
 
 Host with this ruleset can be tracerouted from outside in 4.8, 4.9. 
 4.10. But not in 4.11. Counter for last rule is incremented for each 
 outbound icmp unreach, however. Is it a bug or not? I am not sure.
 
 And this ruleset works in 4.11:
 
 block in log all
 pass  in quick proto udp from any to any port 33434 >< 33690
 pass out quick proto icmp from any to any icmp-type unreach
 pass out proto icmp from any to any keep state
 
 --
 Spartak Radchenko SVR1-RIPE