From owner-freebsd-net@freebsd.org Tue Jan 23 23:27:11 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13FE3ED06A2 for ; Tue, 23 Jan 2018 23:27:10 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from forward100p.mail.yandex.net (forward100p.mail.yandex.net [77.88.28.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Yandex CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C2866B045; Tue, 23 Jan 2018 23:27:10 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mxback3o.mail.yandex.net (mxback3o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::1d]) by forward100p.mail.yandex.net (Yandex) with ESMTP id 66AA35104282; Wed, 24 Jan 2018 02:27:02 +0300 (MSK) Received: from smtp1p.mail.yandex.net (smtp1p.mail.yandex.net [2a02:6b8:0:1472:2741:0:8b6:6]) by mxback3o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id TbHtUTMQyA-R25WtENh; Wed, 24 Jan 2018 02:27:02 +0300 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1516750022; bh=Cw8/KraEp0u4bx1Um0sZ+Fy1ZTdDFBRaakTXA4IDufM=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=pB09J2d8mbefVMcIj0WMfNejEov2eaxbW2zaKR8Ahwj+Z5rjB2b8vKVvm/77W8/C2 cSaAfVSeNVvyfXNxgk2plxZ7ZUoKLSKzbtwZ5OWvSKZA01J9nx0e7EP0JEiQ3oQkD4 gvEorjyoiksgUzO6RC9eeYf7DSAx03Sr4zXH3KWo= Received: by smtp1p.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id 5W5YKXHKzB-R10aG0Xi; Wed, 24 Jan 2018 02:27:01 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1516750021; bh=Cw8/KraEp0u4bx1Um0sZ+Fy1ZTdDFBRaakTXA4IDufM=; h=Subject:To:Cc:References:From:Message-ID:Date:In-Reply-To; b=T43dWv+okP81Wn+CgAdoxdoXTNsO4UyOy/0b7E/mZA1Ltg6PgbqXwyqbzG9yqSGS4 6cFNKZjYtXumRGcSUVovOIDSXx+GH5Y/kuTDePW5M96tRf76sW3vnKJA0FCchJ6xm0 0wAH7rfBH+3J90/QYhlFL/4h5mxI359WD5iAkxWE= Authentication-Results: smtp1p.mail.yandex.net; dkim=pass header.i=@yandex.ru Subject: Re: pf: redirect a packet's port but not its address? To: Alan Somers , Eugene Grosbein Cc: FreeBSD Net , Kristof Provost References: <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> <5A6781E9.5060405@grosbein.net> From: "Andrey V. Elsukov" Openpgp: id=E6591E1B41DA1516F0C9BC0001C5EA0410C8A17A Message-ID: <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru> Date: Wed, 24 Jan 2018 02:26:40 +0300 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2018 23:27:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR Content-Type: multipart/mixed; boundary="HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y"; protected-headers="v1" From: "Andrey V. Elsukov" To: Alan Somers , Eugene Grosbein Cc: FreeBSD Net , Kristof Provost Message-ID: <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru> Subject: Re: pf: redirect a packet's port but not its address? References: <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> <5A6781E9.5060405@grosbein.net> In-Reply-To: --HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 24.01.2018 00:01, Alan Somers wrote: > Thanks. It works now, at least for global addresses. But the fwd rule= > does not work for link-local addresses. When I try, the ACK packet get= s > dropped because it violates IPv6 scope rules. A custom dtrace probe > shows that ipfw is apparently not setting the embedded scope identifier= > on the forwarded packet. The address should be > "fe80:2:0:0:215:17ff:fee9:3079" but it's actually > "fe80:0:0:0:215:17ff:fee9:3079". This is similar to the problems I ran= > into with pf. In fact, I never did get pf working with link-local > addresses either. I think it is correct behavior if you try to forward to loopback address. In case when you listen on the LLA and fwd to this LLA there is seems the bug. # ipfw add fwd fe80::e6a7:a0ff:fe8e:16bf%lagg0,5678 tcp from any to any dst-port 4000 # nc -6 -l fe80::e6a7:a0ff:fe8e:16bf%lagg0 5678 This doesn't work, because ip6_input() doesn't embed scope zone index into IPv6 header's addresses before TCP segment will be handled by tcp_input(). I think the bug is in ipfw_check_packet() function. Since it changes destination address and sets M_FASTFWD_OURS flag, it also should embed scope zone id into ip6_src/ip6_dst and check for scope violation like ip6_input() does just after "passin" label. With this patch I'm able to use above commands and they work. --- a/sys/netpfil/ipfw/ip_fw_pfil.c +++ b/sys/netpfil/ipfw/ip_fw_pfil.c @@ -211,8 +211,20 @@ again: ret =3D EACCES; break; } - if (in6_localip(&sa6->sin6_addr)) + if (in6_localip(&sa6->sin6_addr)) { + struct ip6_hdr *ip6 =3D mtod(*m0, struct ip6_hdr *); + (*m0)->m_flags |=3D M_FASTFWD_OURS; + if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) { + ret =3D EACCES; + break; + } + if (in6_setscope(&ip6->ip6_src, (*m0)->m_pkthdr.rcvif, NULL) || + in6_setscope(&ip6->ip6_dst, (*m0)->m_pkthdr.rcvif, NULL)) { + ret =3D EACCES; + break; + } + } (*m0)->m_flags |=3D M_IP6_NEXTHOP; } #endif --=20 WBR, Andrey V. Elsukov --HhnvYKNKupRstPoMnKJ0MmDI6MJOD229y-- --M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpnxLAACgkQAcXqBBDI oXpj1wf/SyFia91NDXbW8unsNGDoZetfv3GUDxf9xmK6GkDLPIu9m86KEM2d/Q32 ezpE2ieozE1BNf/sE/tEol/x7r+x61I4wiQ2OPJQfKbO0r9b+70DsYiA/2cVVgp0 d8j46fTSbjPHusqORlFUlLO8HnEyBRGi4uNW3Lqz+2D/aX+SkHzdX3kSGOLNAF/8 yHdrDPf5qNdkyqklSyyoUtsXO3gTl6UtP7Fudz5PuOsbFJVFhar/Kd5g3o9B7zTv welRcXdNiy+aVGlgHFRE5AaTu0BqgjvEYAvcOUcFzqnPnltKVyDUsKKvPY2hGHy8 Swa2wUW7OiXn6YfRaAtl9ReLyfuwWQ== =3qf/ -----END PGP SIGNATURE----- --M33VrJ4XnBCWeuqrL6KxowN1sR0WJODOR--