On Wed, Feb 19, 2003 at 09:42:23PM +0100, Wouter Clarie wrote:
> On Wed, 19 Feb 2003, Juan Vera wrote:
> > # pfctl -n -f -
> > pass out quick on xl0 proto { tcp, udp, icmp } from any to any flags S keep state
> > pass out quick on xl0 proto { tcp, udp, icmp } from xl0 to any flags S keep state
> > stdin:3: icmp version does not match address family
> > stdin:3: skipping filter rule due to errors
> > pfctl: Syntax error in file: pf rules not loaded
> The error message is indeed incorrect.no, it is not. it is entorely correct. he has an IPv6 address on xl0, and of course, one of the expanded rules is address family inet6 with protocol icmp. and "icmp version does not match address family" is entirely correct. > I don't understand how you think icmp packets could have a SYN flag set > though flags is ignored for non-tcp packets anyway. on rules which can match tcp packets, but aren't necessarily tcp only, we alloe flags for quite some time.
