pf: redirect a packet's port but not its address?
Alan Somers
asomers at freebsd.org
Thu Jan 25 23:54:07 UTC 2018
On Wed, Jan 24, 2018 at 3:16 AM, Andrey V. Elsukov <bu7cher at yandex.ru>
wrote:
> On 24.01.2018 02:26, Andrey V. Elsukov wrote:
> > I think it is correct behavior if you try to forward to loopback
> > address. In case when you listen on the LLA and fwd to this LLA there is
> > seems the bug.
> >
> > # ipfw add fwd fe80::e6a7:a0ff:fe8e:16bf%lagg0,5678 tcp from any to any
> > dst-port 4000
> > # nc -6 -l fe80::e6a7:a0ff:fe8e:16bf%lagg0 5678
> >
> > This doesn't work, because ip6_input() doesn't embed scope zone index
> > into IPv6 header's addresses before TCP segment will be handled by
> > tcp_input().
> >
> > I think the bug is in ipfw_check_packet() function. Since it changes
> > destination address and sets M_FASTFWD_OURS flag, it also should embed
> > scope zone id into ip6_src/ip6_dst and check for scope violation like
> > ip6_input() does just after "passin" label.
> >
> > With this patch I'm able to use above commands and they work.
> After some thought I think it is not quite correct to embed scope zone
> id into IP header in the pfil hook, because several hooks can be chained
> and this can break another check. Instead, can you test this patch?
>
> I moved M_FASTFWD_OURS check below of scope check, now if fwd address is
> our local, scope zone index will be correctly embedded into IP header if
> this is needed. And thus tcp_input() will correctly handle this case.
>
> --
> WBR, Andrey V. Elsukov
>
Yep. With that patch I can receive the redirected packet whether listening
on the unspecified address or on the LLA.
-Alan
More information about the freebsd-net
mailing list