Date: Wed, 24 Jan 2018 02:26:40 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Alan Somers <asomers@freebsd.org>, Eugene Grosbein <eugen@grosbein.net> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org> Subject: Re: pf: redirect a packet's port but not its address? Message-ID: <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru> In-Reply-To: <CAOtMX2h%2BU82k6%2BB_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com> References: <CAOtMX2j80odQ7%2Bt3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com> <a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru> <CAOtMX2jroiz57KyQZUk%2B4aW4=_1m=Qs7wEP=_3pEVL%2BE2jg22A@mail.gmail.com> <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> <CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com> <5A6781E9.5060405@grosbein.net> <CAOtMX2h%2BU82k6%2BB_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR Content-Type: multipart/mixed; boundary="HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Alan Somers <asomers@freebsd.org>, Eugene Grosbein <eugen@grosbein.net> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org> Message-ID: <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru> Subject: Re: pf: redirect a packet's port but not its address? References: <CAOtMX2j80odQ7+t3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com> <a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru> <CAOtMX2jroiz57KyQZUk+4aW4=_1m=Qs7wEP=_3pEVL+E2jg22A@mail.gmail.com> <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> <CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com> <5A6781E9.5060405@grosbein.net> <CAOtMX2h+U82k6+B_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com> In-Reply-To: <CAOtMX2h+U82k6+B_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com> --HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 24.01.2018 00:01, Alan Somers wrote: > Thanks. It works now, at least for global addresses. But the fwd rule= > does not work for link-local addresses. When I try, the ACK packet get= s > dropped because it violates IPv6 scope rules. A custom dtrace probe > shows that ipfw is apparently not setting the embedded scope identifier= > on the forwarded packet. The address should be > "fe80:2:0:0:215:17ff:fee9:3079" but it's actually > "fe80:0:0:0:215:17ff:fee9:3079". This is similar to the problems I ran= > into with pf. In fact, I never did get pf working with link-local > addresses either. I think it is correct behavior if you try to forward to loopback address. In case when you listen on the LLA and fwd to this LLA there is seems the bug. # ipfw add fwd fe80::e6a7:a0ff:fe8e:16bf%lagg0,5678 tcp from any to any dst-port 4000 # nc -6 -l fe80::e6a7:a0ff:fe8e:16bf%lagg0 5678 This doesn't work, because ip6_input() doesn't embed scope zone index into IPv6 header's addresses before TCP segment will be handled by tcp_input(). I think the bug is in ipfw_check_packet() function. Since it changes destination address and sets M_FASTFWD_OURS flag, it also should embed scope zone id into ip6_src/ip6_dst and check for scope violation like ip6_input() does just after "passin" label. With this patch I'm able to use above commands and they work. --- a/sys/netpfil/ipfw/ip_fw_pfil.c +++ b/sys/netpfil/ipfw/ip_fw_pfil.c @@ -211,8 +211,20 @@ again: ret =3D EACCES; break; } - if (in6_localip(&sa6->sin6_addr)) + if (in6_localip(&sa6->sin6_addr)) { + struct ip6_hdr *ip6 =3D mtod(*m0, struct ip6_hdr *); + (*m0)->m_flags |=3D M_FASTFWD_OURS; + if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) { + ret =3D EACCES; + break; + } + if (in6_setscope(&ip6->ip6_src, (*m0)->m_pkthdr.rcvif, NULL) || + in6_setscope(&ip6->ip6_dst, (*m0)->m_pkthdr.rcvif, NULL)) { + ret =3D EACCES; + break; + } + } (*m0)->m_flags |=3D M_IP6_NEXTHOP; } #endif --=20 WBR, Andrey V. Elsukov --HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y-- --M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpnxLAACgkQAcXqBBDI oXpj1wf/SyFia91NDXbW8unsNGDoZetfv3GUDxf9xmK6GkDLPIu9m86KEM2d/Q32 ezpE2ieozE1BNf/sE/tEol/x7r+x61I4wiQ2OPJQfKbO0r9b+70DsYiA/2cVVgp0 d8j46fTSbjPHusqORlFUlLO8HnEyBRGi4uNW3Lqz+2D/aX+SkHzdX3kSGOLNAF/8 yHdrDPf5qNdkyqklSyyoUtsXO3gTl6UtP7Fudz5PuOsbFJVFhar/Kd5g3o9B7zTv welRcXdNiy+aVGlgHFRE5AaTu0BqgjvEYAvcOUcFzqnPnltKVyDUsKKvPY2hGHy8 Swa2wUW7OiXn6YfRaAtl9ReLyfuwWQ== =3qf/ -----END PGP SIGNATURE----- --M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6d367aa6-948a-8dd6-cfc9-dd6017722591>