kernel side actually handles set-tos for IPvShit - see pf_scrub() in
pf_norm.c
ok?
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.614
diff -u -p -r1.614 parse.y
--- sbin/pfctl/parse.y 7 Jul 2012 16:24:32 -0000 1.614
+++ sbin/pfctl/parse.y 7 Jul 2012 17:09:19 -0000
@@ -4172,9 +4192,9 @@ rule_consistent(struct pf_rule *r, int a
problems++;
}
if (r->af == AF_INET6 && (r->scrub_flags &
- (PFSTATE_NODF|PFSTATE_RANDOMID|PFSTATE_SETTOS))) {
+ (PFSTATE_NODF|PFSTATE_RANDOMID))) {
yyerror("address family inet6 does not support scrub options "
- "no-df, random-id, set-tos");
+ "no-df, random-id");
problems++;
}
