Date: Tue, 15 Mar 2011 19:30:14 GMT From: Sergey Matveychuk <sem33@yandex-team.ru> To: freebsd-ipfw@FreeBSD.org Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets Message-ID: <201103151930.p2FJUEq3021539@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/128260; it has been noted by GNATS. From: Sergey Matveychuk <sem33@yandex-team.ru> To: bug-followup@FreeBSD.org, dan@obluda.cz Cc: Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets Date: Tue, 15 Mar 2011 22:22:26 +0300 This is a multi-part message in MIME format. --------------010900030501060304010402 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit A patch to prevent looping when diverting packets from "to me" rule. Let's look at the rule: ipfw add divert NNN ip from any to me After a packet processed with a divert daemon it returns to output queue and pass firewall again and diverted again and so on. It's a loop. You can easily prevent it for IPv4: ipfw add divert NNN ip from any to me not via lo0 But you could not do it with IPv6 because of it fool firewall by changing interface name. The patch do the behaviour the same for both protocols. --------------010900030501060304010402 Content-Type: text/plain; name="nd6.diff" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="nd6.diff" LS0tIHN5cy9uZXRpbmV0Ni9uZDYuYy5vcmlnCTIwMTEtMDItMjUgMTc6NDg6NTQuMDAwMDAw MDAwICswMzAwCisrKyBzeXMvbmV0aW5ldDYvbmQ2LmMJMjAxMS0wMi0yNSAxNzo0OTo1MS4w MDAwMDAwMDAgKzAzMDAKQEAgLTE5MjgsMTAgKzE5MjgsNiBAQAogCQl9CiAJCXJldHVybiAo ZXJyb3IpOwogCX0KLQlpZiAoKGlmcC0+aWZfZmxhZ3MgJiBJRkZfTE9PUEJBQ0spICE9IDAp IHsKLQkJcmV0dXJuICgoKmlmcC0+aWZfb3V0cHV0KShvcmlnaWZwLCBtLCAoc3RydWN0IHNv Y2thZGRyICopZHN0LAotCQkgICAgTlVMTCkpOwotCX0KIAllcnJvciA9ICgqaWZwLT5pZl9v dXRwdXQpKGlmcCwgbSwgKHN0cnVjdCBzb2NrYWRkciAqKWRzdCwgTlVMTCk7CiAJcmV0dXJu IChlcnJvcik7CiAK --------------010900030501060304010402--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103151930.p2FJUEq3021539>