b033691537
Stricter state checking for ICMP and ICMPv6 packets: include the ICMP type in one port of the state key, using the type to determine which side should be the id, and which should be the type. Also: - Handle ICMP6 messages which are typically sent to multicast addresses but recieve unicast replies, by doing fallthrough lookups against the correct multicast address. - Clear up some mistaken assumptions in the PF code: - Not all ICMP packets have an icmp_id, so simulate one based on other data if we can, otherwise set it to 0. - Don't modify the icmp id field in NAT unless it's echo - Use the full range of possible id's when NATing icmp6 echoy Difference with OpenBSD version: - C99ify the new code - WITHOUT_INET6 safe Reviewed by: glebius Obtained from: OpenBSD |
||
|---|---|---|
| .. | ||
| ipfw | ||
| pf | ||