Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Mar 2017 04:41:03 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-pf@FreeBSD.org
Subject:   [Bug 203735] Transparent interception of ipv6 with squid and pf causes panic
Message-ID:  <bug-203735-17777-7Cfxr2FzmC@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-203735-17777@https.bugs.freebsd.org/bugzilla/>
References:  <bug-203735-17777@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D203735

Kristof Provost <kp@freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kp@freebsd.org

--- Comment #7 from Kristof Provost <kp@freebsd.org> ---
The good news is this no longer panics, but it still doesn't work.

This turns out to be somewhat tricky.=20
The underlying problem is one of address scope.

It can be fixed on the receive side with a patch like this:

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 81290f91b40..d68f81ddf15 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6538,8 +6538,12 @@ done:
            pd.proto =3D=3D IPPROTO_UDP) && s !=3D NULL && s->nat_rule.ptr =
!=3D NULL &&
            (s->nat_rule.ptr->action =3D=3D PF_RDR ||
            s->nat_rule.ptr->action =3D=3D PF_BINAT) &&
           IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
-               m->m_flags |=3D M_SKIP_FIREWALL;
+               m->m_flags |=3D M_SKIP_FIREWALL | M_FASTFWD_OURS;

This tells ip6_input() to skip the scope checks, which seems appropriate.
It still fails on the reply packet though, so this doesn't actually fix the
whole use case.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-203735-17777-7Cfxr2FzmC>