On Wed, 19 Feb 2003, Henning Brauer wrote:
> On Wed, Feb 19, 2003 at 09:42:23PM +0100, Wouter Clarie wrote:
> > On Wed, 19 Feb 2003, Juan Vera wrote:
> > > # pfctl -n -f -
> > > pass out quick on xl0 proto { tcp, udp, icmp } from any to any flags S keep state
> > > pass out quick on xl0 proto { tcp, udp, icmp } from xl0 to any flags S keep state
> > > stdin:3: icmp version does not match address family
> > > stdin:3: skipping filter rule due to errors
> > > pfctl: Syntax error in file: pf rules not loaded
> > The error message is indeed incorrect.
>
> no, it is not. it is entorely correct. he has an IPv6 address on xl0,
> and of course, one of the expanded rules is address family inet6 with
> protocol icmp. and "icmp version does not match address family" is
> entirely correct.
Must be because i've never used IPv6... I always forget that thing is
around, too ;-) Your explanation would indeed make a lot more sense than
mine.
> > I don't understand how you think icmp packets could have a SYN flag
> > set though
>
> flags is ignored for non-tcp packets anyway. on rules which can match
> tcp packets, but aren't necessarily tcp only, we alloe flags for quite
> some time.
Hrmm alright...
