pf: redirect a packet's port but not its address?
Andrey V. Elsukov
bu7cher at yandex.ru
Wed Jan 24 10:16:56 UTC 2018
On 24.01.2018 02:26, Andrey V. Elsukov wrote:
> I think it is correct behavior if you try to forward to loopback
> address. In case when you listen on the LLA and fwd to this LLA there is
> seems the bug.
>
> # ipfw add fwd fe80::e6a7:a0ff:fe8e:16bf%lagg0,5678 tcp from any to any
> dst-port 4000
> # nc -6 -l fe80::e6a7:a0ff:fe8e:16bf%lagg0 5678
>
> This doesn't work, because ip6_input() doesn't embed scope zone index
> into IPv6 header's addresses before TCP segment will be handled by
> tcp_input().
>
> I think the bug is in ipfw_check_packet() function. Since it changes
> destination address and sets M_FASTFWD_OURS flag, it also should embed
> scope zone id into ip6_src/ip6_dst and check for scope violation like
> ip6_input() does just after "passin" label.
>
> With this patch I'm able to use above commands and they work.
After some thought I think it is not quite correct to embed scope zone
id into IP header in the pfil hook, because several hooks can be chained
and this can break another check. Instead, can you test this patch?
I moved M_FASTFWD_OURS check below of scope check, now if fwd address is
our local, scope zone index will be correctly embedded into IP header if
this is needed. And thus tcp_input() will correctly handle this case.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ip6_input.diff
Type: text/x-patch
Size: 929 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180124/1bc9bbc7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180124/1bc9bbc7/attachment.sig>
More information about the freebsd-net
mailing list