Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Jan 2018 02:26:40 +0300
From:      "Andrey V. Elsukov" <bu7cher@yandex.ru>
To:        Alan Somers <asomers@freebsd.org>, Eugene Grosbein <eugen@grosbein.net>
Cc:        FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org>
Subject:   Re: pf: redirect a packet's port but not its address?
Message-ID:  <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru>
In-Reply-To: <CAOtMX2h%2BU82k6%2BB_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com>
References:  <CAOtMX2j80odQ7%2Bt3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com> <a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru> <CAOtMX2jroiz57KyQZUk%2B4aW4=_1m=Qs7wEP=_3pEVL%2BE2jg22A@mail.gmail.com> <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> <CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com> <5A6781E9.5060405@grosbein.net> <CAOtMX2h%2BU82k6%2BB_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR
Content-Type: multipart/mixed; boundary="HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y";
 protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Alan Somers <asomers@freebsd.org>, Eugene Grosbein <eugen@grosbein.net>
Cc: FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org>
Message-ID: <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru>
Subject: Re: pf: redirect a packet's port but not its address?
References: <CAOtMX2j80odQ7+t3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com>
 <a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru>
 <CAOtMX2jroiz57KyQZUk+4aW4=_1m=Qs7wEP=_3pEVL+E2jg22A@mail.gmail.com>
 <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru>
 <CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com>
 <5A6781E9.5060405@grosbein.net>
 <CAOtMX2h+U82k6+B_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com>
In-Reply-To: <CAOtMX2h+U82k6+B_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com>

--HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

On 24.01.2018 00:01, Alan Somers wrote:
> Thanks.  It works now, at least for global addresses.  But the fwd rule=

> does not work for link-local addresses.  When I try, the ACK packet get=
s
> dropped because it violates IPv6 scope rules.  A custom dtrace probe
> shows that ipfw is apparently not setting the embedded scope identifier=

> on the forwarded packet.  The address should be
> "fe80:2:0:0:215:17ff:fee9:3079" but it's actually
> "fe80:0:0:0:215:17ff:fee9:3079".  This is similar to the problems I ran=

> into with pf.  In fact, I never did get pf working with link-local
> addresses either.

I think it is correct behavior if you try to forward to loopback
address. In case when you listen on the LLA and fwd to this LLA there is
seems the bug.

# ipfw add fwd fe80::e6a7:a0ff:fe8e:16bf%lagg0,5678 tcp from any to any
dst-port 4000
# nc -6 -l fe80::e6a7:a0ff:fe8e:16bf%lagg0 5678

This doesn't work, because ip6_input() doesn't embed scope zone index
into IPv6 header's addresses before TCP segment will be handled by
tcp_input().

I think the bug is in ipfw_check_packet() function. Since it changes
destination address and sets M_FASTFWD_OURS flag, it also should embed
scope zone id into ip6_src/ip6_dst and check for scope violation like
ip6_input() does just after "passin" label.

With this patch I'm able to use above commands and they work.

--- a/sys/netpfil/ipfw/ip_fw_pfil.c
+++ b/sys/netpfil/ipfw/ip_fw_pfil.c
@@ -211,8 +211,20 @@ again:
                                ret =3D EACCES;
                                break;
                        }
-                       if (in6_localip(&sa6->sin6_addr))
+                       if (in6_localip(&sa6->sin6_addr)) {
+                               struct ip6_hdr *ip6 =3D mtod(*m0, struct
ip6_hdr *);
+
                                (*m0)->m_flags |=3D M_FASTFWD_OURS;
+       if (in6_clearscope(&ip6->ip6_src) ||
in6_clearscope(&ip6->ip6_dst)) {
+               ret =3D EACCES;
+               break;
+       }
+       if (in6_setscope(&ip6->ip6_src, (*m0)->m_pkthdr.rcvif, NULL) ||
+           in6_setscope(&ip6->ip6_dst, (*m0)->m_pkthdr.rcvif, NULL)) {
+               ret =3D EACCES;
+               break;
+       }
+                       }
                        (*m0)->m_flags |=3D M_IP6_NEXTHOP;
                }
 #endif

--=20
WBR, Andrey V. Elsukov


--HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y--

--M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpnxLAACgkQAcXqBBDI
oXpj1wf/SyFia91NDXbW8unsNGDoZetfv3GUDxf9xmK6GkDLPIu9m86KEM2d/Q32
ezpE2ieozE1BNf/sE/tEol/x7r+x61I4wiQ2OPJQfKbO0r9b+70DsYiA/2cVVgp0
d8j46fTSbjPHusqORlFUlLO8HnEyBRGi4uNW3Lqz+2D/aX+SkHzdX3kSGOLNAF/8
yHdrDPf5qNdkyqklSyyoUtsXO3gTl6UtP7Fudz5PuOsbFJVFhar/Kd5g3o9B7zTv
welRcXdNiy+aVGlgHFRE5AaTu0BqgjvEYAvcOUcFzqnPnltKVyDUsKKvPY2hGHy8
Swa2wUW7OiXn6YfRaAtl9ReLyfuwWQ==
=3qf/
-----END PGP SIGNATURE-----

--M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6d367aa6-948a-8dd6-cfc9-dd6017722591>