pf(4) ignores 'keep state' and 'nat-to' actions for unsolicited
icmp error responses. Fix tightens rule matching logic so icmp
error responses no longer match 'keep state' rule. In typical
scenarios icmp errors (if solicited) should match existing state.
The change is going to bite firewalls which deal with asymmetric
routes. In those cases the 'keep state' action should be relaxed
to sloppy or new 'no state' rule to explicitly match icmp
errors should be added.
The issue has been reported by Peter J. Philip (pjp _at_ delphinusdns.org).
Discussed with bluhm@ and florian@
OK bluhm@
projects / openbsd / commit