Yes Daniel, it works, I don't know why it didn't yesterday. Once,
yesterday, I did notice that lingering states (I am using NAT) caused me
not to forward traffic, could be a similar issue.

Now its working. I had only the rules I showed in my earlier mails.

Thanks a lot.

--Gopu

-----Original Message-----
From: Daniel Hartmeier [mailto:daniel@benzedrine.cx]
Sent: Tuesday, August 05, 2003 6:20 AM
To: Pillai, Gopakumar (Gopu)
Cc: Alain Deschamps; tech@openbsd.org
Subject: Re: ICMP record route


On Mon, Aug 04, 2003 at 03:00:11PM -0600, Pillai, Gopakumar (Gopu)
wrote:

> If I put these rules it does not forward packets.
> pass in all allow-opts
> pass out all allow-opts
>
> If I put the following it forwards:
> pass in proto icmp all allow-opts
> pass out proto icmp all allow-opts

That doesn't make sense, I suspect some other mistake in the ruleset
(like a subsequent matching rule without allow-opts in the first case).

The former should work just as well (since it also applies to ICMP
packets), assuming these rules are indeed the last matching rules of the
ruleset for all ICMP packets. pfctl -vvsr will tell you whether rules
are last matching.

> We need to add two rule if options are set, then is keep-state with
> allow-opts doing its job?

Yes, the allow-opts flag is copied from the rule to the state entry
(when the rule creates state), and honoured for all packets subsequently
matching the state.

You'll need two state entries (one for incoming packets on the internal
interface, one for outgoing packets on the external interface). Two
rules like

pass in on $int_if inet proto icmp all keep state allow-opts
pass out on $ext_if inet proto icmp all keep state allow-opts

will have that effect.

And no, there's no simpler solution. IP options are rarely needed and
often harmful, hence you need to know what you are doing when you want
to pass them. Note that allow-opts in a state entry will allow any kind
of IP option in either direction.

Daniel