Date: Tue, 05 Sep 2006 12:53:26 +0900 From: SUZUKI Shinsuke <suz@freebsd.org> To: max@love2party.net Cc: suz@freebsd.org, freebsd-gnats-submit@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Message-ID: <x764g3hsuh.wl%suz@alaxala.net> In-Reply-To: <200609012122.53206.max@love2party.net> References: <200608291637.k7TGbNxd002409@www.freebsd.org> <x71wqz6n5v.wl%suz@alaxala.net> <200609012122.53206.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
>>>>> On Fri, 1 Sep 2006 21:22:45 +0200
>>>>> max@love2party.net(Max Laier) said:
> Thinking about this for a bit we might want to use the patch below
> instead. i.e. do the fixup locally in the pfil wrapper instead. This
> way other filters don't break if they have adapted to the new world
> order.
>
> Thoughts? Please test and report back, either way.
I'm fine with your patch. (it is preferable to add a comment about
this hack, though)
After the PR originator confirmed the fix, could you please commit it?
Thanks,
----
SUZUKI, Shinsuke @ KAME Project
> Index: pf_ioctl.c
> ===================================================================
> RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v
> retrieving revision 1.25
> diff -u -r1.25 pf_ioctl.c
> --- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25
> +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000
> @@ -3442,7 +3442,8 @@
> */
> int chk;
>
> - chk = pf_test6(PF_IN, ifp, m, NULL, inp);
> + chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m,
> + NULL, inp);
> if (chk && *m) {
> m_freem(*m);
> *m = NULL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?x764g3hsuh.wl%suz>