From owner-freebsd-pf@FreeBSD.ORG Tue Sep 5 03:53:34 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0E6516A4EF; Tue, 5 Sep 2006 03:53:34 +0000 (UTC) (envelope-from suz@alaxala.net) Received: from pc1.alaxala.net (pc1.alaxala.net [203.178.142.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9FCB43D66; Tue, 5 Sep 2006 03:53:33 +0000 (GMT) (envelope-from suz@alaxala.net) Received: from localhost (localhost [127.0.0.1]) by pc1.alaxala.net (Postfix) with ESMTP id 832AEB993; Tue, 5 Sep 2006 12:53:31 +0900 (JST) X-Virus-Scanned: amavisd-new at alaxala.net Received: from pc1.alaxala.net ([127.0.0.1]) by localhost (pc1.alaxala.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xj3tD64s-FEy; Tue, 5 Sep 2006 12:53:27 +0900 (JST) Received: from flora220.uki-uki.net (pc2.alaxala.net [203.178.142.163]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pc1.alaxala.net (Postfix) with ESMTP id E17CFB939; Tue, 5 Sep 2006 12:53:26 +0900 (JST) Date: Tue, 05 Sep 2006 12:53:26 +0900 Message-ID: From: SUZUKI Shinsuke To: max@love2party.net X-cite: xcite 1.33 In-Reply-To: <200609012122.53206.max@love2party.net> References: <200608291637.k7TGbNxd002409@www.freebsd.org> <200609012122.53206.max@love2party.net> User-Agent: Wanderlust/2.15.1 (Almost Unreal) Emacs/22.0 Mule/5.0 (SAKAKI) Organization: Networking Technology Development Dept., ALAXALA Networks Corporation MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: suz@freebsd.org, freebsd-gnats-submit@freebsd.org, freebsd-pf@freebsd.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 03:53:35 -0000 Hi, >>>>> On Fri, 1 Sep 2006 21:22:45 +0200 >>>>> max@love2party.net(Max Laier) said: > Thinking about this for a bit we might want to use the patch below > instead. i.e. do the fixup locally in the pfil wrapper instead. This > way other filters don't break if they have adapted to the new world > order. > > Thoughts? Please test and report back, either way. I'm fine with your patch. (it is preferable to add a comment about this hack, though) After the PR originator confirmed the fix, could you please commit it? Thanks, ---- SUZUKI, Shinsuke @ KAME Project > Index: pf_ioctl.c > =================================================================== > RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v > retrieving revision 1.25 > diff -u -r1.25 pf_ioctl.c > --- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25 > +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000 > @@ -3442,7 +3442,8 @@ > */ > int chk; > > - chk = pf_test6(PF_IN, ifp, m, NULL, inp); > + chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m, > + NULL, inp); > if (chk && *m) { > m_freem(*m); > *m = NULL;