On Sun, May 08, 2022 at 06:37:57PM +0200, Alexandr Nedvedicky wrote: > this tiny update to pf.conf(5) has been prompted here [1] on > pf mailing list. By default only ICMP queries are allowed > to create state in pf(4). The sloppy option relaxes that > so also ICMP replies can create a state. I think this should > be also mentioned in pf.conf(5) > > OK to my suggestion below?
I would make it a bit shorter. pf.conf(5) is very long already. With this option ICMP replies can create states. Does this describe everything? > --------8<---------------8<---------------8<------------------8<-------- > diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 > index fe4b117994a..7389d231fe2 100644 > --- a/share/man/man5/pf.conf.5 > +++ b/share/man/man5/pf.conf.5 > @@ -2186,6 +2186,9 @@ It cannot be used with > .Cm modulate state > or > .Cm synproxy state . > +The option also relaxes handling of ICMP such that also ICMP replies > +are allowed to create state. > +By default ICMP queries only are allowed to create state. > .It Ar timeout seconds > Changes the > .Ar timeout