Date: Wed, 07 May 2025 10:31:19 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 280390] NPTv6 not working Message-ID: <bug-280390-7501-HfOGrQ68bN@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-280390-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-280390-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280390 --- Comment #21 from Tatsuki Makino <tatsuki_makino@hotmail.com> --- (In reply to Tatsuki Makino from comment #20) In the end, I came back to the method of using this :) I wanted to keep one_pass enabled, so I used a strange method with dynamic rules, but with the following patch, I tried to resolve the issue of icmpv6 being unable to pass. The results of ipfw -D show indicated that more than 2 packets were captured due to the ipv6-icmp rule, this patch may be meaningful :) Below is the patch. It has been applied to 14.3-PRERELEASE. diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c index d26e05e5d15..23902a52404 100644 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c @@ -487,6 +487,15 @@ SYSCTL_U32(_net_inet_ip_fw, OID_AUTO, dyn_keep_states, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(dyn_keep_states), 0, "Do not flush dynamic states on rule deletion"); +#ifdef INET6 +VNET_DEFINE_STATIC(int, _dyn_auto_add_icmpv6) =3D 0; +#define V_dyn_auto_add_icmpv6 VNET(_dyn_auto_add_icmpv6) +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, + _dyn_auto_add_icmpv6, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(_dyn_auto_add_icmpv6), 0, + "ipv6-icmp dynamic rule is also added at the same time when ip6 dyn= amic rule is added"); +#endif /* INET6 */ + #ifdef IPFIREWALL_DYNDEBUG #define DYN_DEBUG(fmt, ...) do { \ printf("%s: " fmt "\n", __func__, __VA_ARGS__); \ @@ -1930,8 +1939,22 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid, ulp, pktlen, hashval, info, fibnum, kidx, type); #ifdef INET6 else if (IS_IP6_FLOW_ID(pkt)) + { ret =3D dyn_add_ipv6_state(rule, ruleid, rulenum, pkt, zoneid, ulp, pktlen, hashval, info, fibnum, kidx, type); + if (V_dyn_auto_add_icmpv6 && ret =3D=3D 0 && + (pkt->proto !=3D 0 && pkt->proto !=3D IPPROTO_ICMPV= 6)) { + struct ipfw_flow_id id; + id =3D *pkt; + id.proto =3D IPPROTO_ICMPV6; + id.src_port =3D 0; + id.dst_port =3D 0; + if (dyn_add_ipv6_state(rule, ruleid, rulenum, &id, + zoneid, ulp, pktlen, hashval, info, fibnum, kid= x, type) !=3D 0) { + /* ignore failure */ + } + } + } #endif /* INET6 */ else ret =3D EAFNOSUPPORT; --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280390-7501-HfOGrQ68bN>