Date: Wed, 07 May 2025 10:31:19 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 280390] NPTv6 not working Message-ID: <bug-280390-7501-HfOGrQ68bN@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-280390-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-280390-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280390 --- Comment #21 from Tatsuki Makino <tatsuki_makino@hotmail.com> --- (In reply to Tatsuki Makino from comment #20) In the end, I came back to the method of using this :) I wanted to keep one_pass enabled, so I used a strange method with dynamic rules, but with the following patch, I tried to resolve the issue of icmpv6 being unable to pass. The results of ipfw -D show indicated that more than 2 packets were captured due to the ipv6-icmp rule, this patch may be meaningful :) Below is the patch. It has been applied to 14.3-PRERELEASE. diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c b/sys/netpfil/ipfw/ip_fw_dynamic.c index d26e05e5d15..23902a52404 100644 --- a/sys/netpfil/ipfw/ip_fw_dynamic.c +++ b/sys/netpfil/ipfw/ip_fw_dynamic.c @@ -487,6 +487,15 @@ SYSCTL_U32(_net_inet_ip_fw, OID_AUTO, dyn_keep_states, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(dyn_keep_states), 0, "Do not flush dynamic states on rule deletion"); +#ifdef INET6 +VNET_DEFINE_STATIC(int, _dyn_auto_add_icmpv6) = 0; +#define V_dyn_auto_add_icmpv6 VNET(_dyn_auto_add_icmpv6) +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, + _dyn_auto_add_icmpv6, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(_dyn_auto_add_icmpv6), 0, + "ipv6-icmp dynamic rule is also added at the same time when ip6 dynamic rule is added"); +#endif /* INET6 */ + #ifdef IPFIREWALL_DYNDEBUG #define DYN_DEBUG(fmt, ...) do { \ printf("%s: " fmt "\n", __func__, __VA_ARGS__); \ @@ -1930,8 +1939,22 @@ dyn_install_state(const struct ipfw_flow_id *pkt, uint32_t zoneid, ulp, pktlen, hashval, info, fibnum, kidx, type); #ifdef INET6 else if (IS_IP6_FLOW_ID(pkt)) + { ret = dyn_add_ipv6_state(rule, ruleid, rulenum, pkt, zoneid, ulp, pktlen, hashval, info, fibnum, kidx, type); + if (V_dyn_auto_add_icmpv6 && ret == 0 && + (pkt->proto != 0 && pkt->proto != IPPROTO_ICMPV6)) { + struct ipfw_flow_id id; + id = *pkt; + id.proto = IPPROTO_ICMPV6; + id.src_port = 0; + id.dst_port = 0; + if (dyn_add_ipv6_state(rule, ruleid, rulenum, &id, + zoneid, ulp, pktlen, hashval, info, fibnum, kidx, type) != 0) { + /* ignore failure */ + } + } + } #endif /* INET6 */ else ret = EAFNOSUPPORT; -- You are receiving this mail because: You are on the CC list for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280390-7501-HfOGrQ68bN>