Date: Tue, 5 Sep 2006 04:00:42 GMT From: SUZUKI Shinsuke <suz@freebsd.org> To: freebsd-pf@FreeBSD.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Message-ID: <200609050400.k8540gqj095896@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/102647; it has been noted by GNATS.
From: SUZUKI Shinsuke <suz@freebsd.org>
To: max@love2party.net
Cc: freebsd-pf@freebsd.org,
suz@freebsd.org,
steinex@nognu.de,
freebsd-gnats-submit@freebsd.org
Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box
Date: Tue, 05 Sep 2006 12:53:26 +0900
Hi,
>>>>> On Fri, 1 Sep 2006 21:22:45 +0200
>>>>> max@love2party.net(Max Laier) said:
> Thinking about this for a bit we might want to use the patch below
> instead. i.e. do the fixup locally in the pfil wrapper instead. This
> way other filters don't break if they have adapted to the new world
> order.
>
> Thoughts? Please test and report back, either way.
I'm fine with your patch. (it is preferable to add a comment about
this hack, though)
After the PR originator confirmed the fix, could you please commit it?
Thanks,
----
SUZUKI, Shinsuke @ KAME Project
> Index: pf_ioctl.c
> ===================================================================
> RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v
> retrieving revision 1.25
> diff -u -r1.25 pf_ioctl.c
> --- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25
> +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000
> @@ -3442,7 +3442,8 @@
> */
> int chk;
>
> - chk = pf_test6(PF_IN, ifp, m, NULL, inp);
> + chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m,
> + NULL, inp);
> if (chk && *m) {
> m_freem(*m);
> *m = NULL;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609050400.k8540gqj095896>