Hello,
> > I have no objections, just a small wish, can you set icmp_dir to -1,
> > if we are not dealing with ICMP? there is a tool we use in Solaris,
> > which yells on us because of uninitialized variable. I know it's
> > false positive, but I've gave up on explaining...
> >
> > patch below co
On Thu, May 21, 2015 at 21:08 +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> >
> > Well, not entirely (: I did it while exploring the code and sent
> > out to provoke further discussion. Today I've talked to reyk@ and
> > we think that it's better to go down a different road: make sure we
> > d
* Alexandr Nedvedicky [2015-05-21 21:29]:
> > Well, not entirely (: I did it while exploring the code and sent
> > out to provoke further discussion. Today I've talked to reyk@ and
> > we think that it's better to go down a different road: make sure we
> > don't create states on reply packets in
Hello,
>
> Well, not entirely (: I did it while exploring the code and sent
> out to provoke further discussion. Today I've talked to reyk@ and
> we think that it's better to go down a different road: make sure we
> don't create states on reply packets in the first place.
>
that's actually ver
On Thu, May 21, 2015 at 11:07 +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> > On Tue, May 19, 2015 at 14:07 +0200, Alexandr Nedvedicky wrote:
> > > Hello Mike,
> > >
> > > I've reworked patch from yesterday. I've done some quick testing
> > > to see if it fixes problem. It looks like it works. I
Hello,
> On Tue, May 19, 2015 at 14:07 +0200, Alexandr Nedvedicky wrote:
> > Hello Mike,
> >
> > I've reworked patch from yesterday. I've done some quick testing
> > to see if it fixes problem. It looks like it works. I have not
> > tested NAT-64 yet. Also I'd like to come up with test case, whic
On Tue, May 19, 2015 at 14:07 +0200, Alexandr Nedvedicky wrote:
> Hello Mike,
>
> I've reworked patch from yesterday. I've done some quick testing
> to see if it fixes problem. It looks like it works. I have not
> tested NAT-64 yet. Also I'd like to come up with test case, which
> will show the st
Hello,
> Thanks for the patch, we'll be investigating this further.
my deep apologize, I was too fast on send trigger. the patch
is toxic. It breaks the opposite case:
pass out on vnet2 all flags S/SA
once rule above is used with patch applied we drop the first
ICMP reply, so ping stops
On Mon, May 18, 2015 at 19:24 +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> during our testing we've discovered small glitch in ICMP state handling.
> we use simple rule as follows:
>
Hi,
> # pfctl -sr
> pass in on vnet2 all flags S/SA
>
If that is the only rule there is, then you need
Hello,
during our testing we've discovered small glitch in ICMP state handling.
we use simple rule as follows:
# pfctl -sr
pass in on vnet2 all flags S/SA
next we create a local outbound traffic using ping to arbitrary destination
over vnet2 interface. This is what we get:
# ping 17
10 matches
Mail list logo
