Date: Mon, 29 Jan 2018 11:03:30 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r328541 - head/sys/netinet6 Message-ID: <201801291103.w0TB3U2q065137@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Mon Jan 29 11:03:29 2018 New Revision: 328541 URL: https://svnweb.freebsd.org/changeset/base/328541 Log: Do not skip scope zone violation check, when mbuf has M_FASTFWD_OURS flag. When mbuf has M_FASTFWD_OURS flag, this means that a destination address is our local, but we still need to pass scope zone violation check, because protocol level expects that IPv6 link-local addresses have embedded scope zone indexes. This should fix the problem, when ipfw is used to forward packets to local address and source address of a packet is IPv6 LLA. Reported by: sbruno MFC after: 3 weeks Modified: head/sys/netinet6/ip6_input.c Modified: head/sys/netinet6/ip6_input.c ============================================================================== --- head/sys/netinet6/ip6_input.c Mon Jan 29 10:33:55 2018 (r328540) +++ head/sys/netinet6/ip6_input.c Mon Jan 29 11:03:29 2018 (r328541) @@ -573,10 +573,8 @@ ip6_input(struct mbuf *m) /* * Firewall changed destination to local. */ - m->m_flags &= ~M_FASTFWD_OURS; - ours = 1; ip6 = mtod(m, struct ip6_hdr *); - goto hbhcheck; + goto passin; } /* @@ -737,10 +735,8 @@ ip6_input(struct mbuf *m) if ((m = ip6_tryforward(m)) == NULL) return; if (m->m_flags & M_FASTFWD_OURS) { - m->m_flags &= ~M_FASTFWD_OURS; - ours = 1; ip6 = mtod(m, struct ip6_hdr *); - goto hbhcheck; + goto passin; } } #if defined(IPSEC) || defined(IPSEC_SUPPORT) @@ -771,13 +767,7 @@ ip6_input(struct mbuf *m) return; ip6 = mtod(m, struct ip6_hdr *); srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst); - - if (m->m_flags & M_FASTFWD_OURS) { - m->m_flags &= ~M_FASTFWD_OURS; - ours = 1; - goto hbhcheck; - } - if ((m->m_flags & M_IP6_NEXTHOP) && + if ((m->m_flags & (M_IP6_NEXTHOP | M_FASTFWD_OURS)) == M_IP6_NEXTHOP && m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) != NULL) { /* * Directly ship the packet on. This allows forwarding @@ -807,6 +797,11 @@ passin: in6_setscope(&ip6->ip6_dst, rcvif, NULL)) { IP6STAT_INC(ip6s_badscope); goto bad; + } + if (m->m_flags & M_FASTFWD_OURS) { + m->m_flags &= ~M_FASTFWD_OURS; + ours = 1; + goto hbhcheck; } /* * Multicast check. Assume packet is for us to avoid
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801291103.w0TB3U2q065137>