Date: Mon, 20 Mar 2017 04:41:03 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 203735] Transparent interception of ipv6 with squid and pf causes panic Message-ID: <bug-203735-17777-7Cfxr2FzmC@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-203735-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-203735-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D203735 Kristof Provost <kp@freebsd.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #7 from Kristof Provost <kp@freebsd.org> --- The good news is this no longer panics, but it still doesn't work. This turns out to be somewhat tricky.=20 The underlying problem is one of address scope. It can be fixed on the receive side with a patch like this: diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 81290f91b40..d68f81ddf15 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6538,8 +6538,12 @@ done: pd.proto =3D=3D IPPROTO_UDP) && s !=3D NULL && s->nat_rule.ptr = !=3D NULL && (s->nat_rule.ptr->action =3D=3D PF_RDR || s->nat_rule.ptr->action =3D=3D PF_BINAT) && IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) - m->m_flags |=3D M_SKIP_FIREWALL; + m->m_flags |=3D M_SKIP_FIREWALL | M_FASTFWD_OURS; This tells ip6_input() to skip the scope checks, which seems appropriate. It still fails on the reply packet though, so this doesn't actually fix the whole use case. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203735-17777-7Cfxr2FzmC>