Don't create ICMP states on reply packets unless tracking states sloppy
Since we've strengthened the ICMP state matching procedure during lookup
to only match packets against states set up in a particular direction, we
need to make sure we don't create states on packets that would otherwise
be flowing in the direction opposite to the direction of the state and
prevent further packets from matching the created state due to strict
rules imposed by the ICMP direction check.
Problem reported by Alexandr Nedvedicky, alexandr.nedvedicky-at-oracle.com.
Discussed with reyk@; OK henning
projects / openbsd / commit