Date: Thu, 31 Aug 2006 06:50:21 GMT From: SUZUKI Shinsuke <suz@freebsd.org> To: freebsd-pf@FreeBSD.org Subject: Re: kern/102647: Using pf stateful rules for inet6 fails for connections originating from the firewall itself to a service running on thesame box Message-ID: <200608310650.k7V6oLrB003384@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/102647; it has been noted by GNATS.
From: SUZUKI Shinsuke <suz@freebsd.org>
To: max@love2party.net
Cc: freebsd-pf@freebsd.org, suz@freebsd.org, steinex@nognu.de,
freebsd-gnats-submit@freebsd.org
Subject: Re: kern/102647: Using pf stateful rules for inet6 fails
for connections originating from the firewall itself to a service running
on thesame box
Date: Thu, 31 Aug 2006 15:47:13 +0900
Hi, Max.
>>>>> On Wed, 30 Aug 2006 13:39:34 +0200
>>>>> max@love2party.net(Max Laier) said:
> another problem that maybe related. The bottom line is that packets
> to or from local addresses never show up on bpf as they are not
> processed by lo0's input/output routines. Do you have any idea how
> to address this?
It is a spec (bug?) of if_simloop() (net/if_loop.c), not regarding
this problem.
- The BPF of the physical interface, instead of lo0, detects the packet.
% ping6 fe80::20c:29ff:fe54:6378%lnc2
16 bytes from fe80::20c:29ff:fe54:6378%lnc2, icmp_seq=0 hlim=64 time=2.857 ms
% tcpdump -X -ni lnc2
3a:40:fe:80:00:00 > 60:00:00:00:00:10 Null Information, send seq 1, rcv seq 6, Flags [Command], length 42
0x0000: 0000 020c 29ff fe54 6378 fe80 0000 0000 ....)..Tcx......
0x0010: 0000 020c 29ff fe54 6378 8000 3c25 0bfe ....)..Tcx..<%..
0x0020: 0000 44f6 81de 0004 5806 ..D.....X.
3a:40:fe:80:00:00 > 60:00:00:00:00:10 Null Information, send seq 1, rcv seq 6, Flags [Command], length 42
0x0000: 0000 020c 29ff fe54 6378 fe80 0000 0000 ....)..Tcx......
0x0010: 0000 020c 29ff fe54 6378 8100 3b25 0bfe ....)..Tcx..;%..
0x0020: 0000 44f6 81de 0004 5806 ..D.....X.
- if_simloop() just passes the received mbuf to the BPF of the
physical interface in case of IPv6. (please see the following code)
if (ifp->if_bpf) {
if (ifp->if_bpf->bif_dlt == DLT_NULL) {
u_int32_t af1 = af; /* XXX beware sizeof(af) != 4 */
bpf_mtap2(ifp->if_bpf, &af1, sizeof(af1), m);
<= this one is called in case of IPv4,
since ifp=lo0
} else
bpf_mtap(ifp->if_bpf, m);
<= this one is normally called in case of IPv6,
since ifp=physical I/F and physical I/F's DLT is
normally DLT_EN10MB
}
- However, due to a lack of correct layer2 header information, the BPF
cannot display the packet correctly. (A dummy padding can partly
solve the problem. But it would be problematic in terms of BPF
filtering based on layer-2 information...)
Thanks,
----
SUZUKI, Shinsuke @ KAME Project
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608310650.k7V6oLrB003384>